A recent Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules ruling in Houston, Texas, against MD Anderson Cancer Center underscores the importance of not just developing, but following established rules, policies and procedures. The lack of policies and procedures is always problematic but often, the failure to follow existing ones can lead to higher penalties or even worse, a pretext for inference of misconduct. (See: Norris v. City of Millbrook, Case No. 2:11-cv-051-MEF (WO)).

In Norris, the court found a reasonable juror could conclude that that an employer’s failure to abide by its own misconduct policies and procedures could demonstrate pretext for misconduct, and the court found the employer liable for discrimination on this basis.

In MD Anderson, the judge ruled in favor of the Office of Civil Rights (OCR), requiring the cancer center to pay $4.3 million in penalties for violating HIPAA Privacy and Security Rules. The judgement was a result of the theft of an unencrypted laptop from the home of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing unencrypted protected health information (PHI) of over 33,500 individuals in 2012 and 2013 respectively. MD Anderson had policies in place requiring device encryption, and prohibiting employees from removing devices from the facility unless they are encrypted. But before MD Anderson completed the encryption process, a theft of three unencrypted devices containing PHI occurred after being transported off of the premises by an employee. Although the employee failed to follow policy, the outcome of these data losses would likely have been much different if the MD Anderson hadn’t failed to follow through on its own policy to encrypt their devices.

The judge stated in his decision, “…failure by Respondent to take the security measures that it had identified as necessary renders irrelevant the issue of whether employees were playing by the rules, because that failure created a risk whether or not Respondent’s employees did so.” OCR investigated and found that MD Anderson had encryption policies in place but failed to follow their own policies. Despite the P&P, it took another five years for MD Anderson to adopt an enterprise-wide solution to implement encryption of electronic PHI, and even then it failed to implement encryption technology within all of its vulnerable devices.

The $4.3 million reflects penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached. This is the fourth highest ruling in history in OCRs favor.

For more information on HIPAA, contact Linda at 781-272-8001.