Washington Update: $4.3 Million HIPAA Penalty for Breach of Unencrypted PHI.

Position:Health Insurance Portability and Accountability Act of 1996 and protected health information

U.S.A Department of Health and Human Services (HHS) administrative law judge (ALJ) ruled that a cancer treatment center violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The violation occurred when the electronic protected health information (ePHI) of more than 33,000 individuals was breached after an unencrypted laptop computer was stolen from a teleworker's home and two other workers from the cancer treatment center lost unencrypted USB drives. The result of the HIPAA violation requires the cancer treatment center to pay a penalty of more than $4.3 million.

The HHS Office for Civil Rights (OCR) conducted an investigation after three separate data breach reports in 2012 and 2013. The investigation resulted in a finding that the cancer treatment center, dating back to 2006, had recognized the need to encrypt devices to address a high risk to ePHI. The center had written encryption policies to address the risks but failed to adopt enterprise-wide encryption until 2011. Even then, it did not fully implement its encryption policy until 2013. OCR proposed penalties of $2,000 per day from March 2011 to January 2013 for the failure to encrypt and penalties of $1.5 million per year for 2012 and 2013 for the unauthorized disclosures of ePHI. The cancer treatment center opposed OCR allegations and...

To continue reading