HIPAA Privacy, Security Rules Front and Center Following M.D. Anderson Breach Ruling

By: Cindy Amedee
Partner, Taylor Porter
cindy.amedee@taylorporter.com
225.381.0279

On June 18, 2018, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) announced a $4.3 million penalty against M.D. Anderson Cancer Center for three breaches of unprotected personal health information that occurred in 2012 and 2013. One breach involved theft of an unencrypted laptop, and the other two breaches involved theft of unencrypted thumb drives, all of which contained personal health information. The breaches affected more than 33,000 patients.

OCR found that M.D. Anderson did not encrypt all of its electronic health information, despite having a written policy regarding encryption. OCR stated that the amount of the penalty is based on the number of patients that were affected and the amount of time that M.D. Anderson was out of compliance with HIPAA. M.D. Anderson argued that it was not responsible for encrypting all of the data and that not all of the data included personal health information and, therefore, was not subject to HIPAA. The OCR did not agree with these arguments.

On another front, the United States District Court for the District of Columbia fell in line with other courts when it ruled on June 15, 2018, that a patient has no private right of action under HIPAA against his or her health care provider for a breach of health information. A patient may file suit under some other theory of law, but the court will dismiss claims that rely on HIPAA. Patients’ sole remedy for breach of health information under HIPAA is the filing of complaints with the Secretary of the U.S. Department of Health and Human Services and/or a State’s attorney general’s office.

According to an article in the HIPAA Journal, in the first quarter of 2018, there have been a reported 77 healthcare data breaches reported to OCR. Those breaches have impacted more than 1 million patients and health plan members – almost twice the number of individuals that were impacted by health care data breaches in the fourth quarter of 2017. The Journal reported that the main cause of breaches in the first quarter of 2018 was unauthorized access/disclosures – 35 incidents; followed by 15 breaches involving the loss or theft of electronic devices containing electronic protected health information, all of which could have been prevented had encryption been used.

Health information sharing, and the rules and regulations of software, licensing and technology issues, are important issues to our health care clients, and these issues are coming to the forefront as more is being done to try to curb record hacking with the advances of technology. In keeping with Taylor Porter’s commitment to its health care clients to actively monitor the latest state and federal regulatory developments within the health care industry, our Firm wants to make clients aware of these noteworthy stories this week that focus on the growing concern of health information technology issues.

Taylor Porter’s Health Care Information Technology practice can help clients understand these complex health care technology issues and prepare themselves to take proactive measures in medical records, electronic health issues, and HIPAA privacy and security to protect the information of their patients.