Enter to open, tab to navigate, enter to select
Failure to Encrypt Leads to $4.3 Million in HIPAA Civil Money Penalties
Practical Law Legal Update w-015-3051 (Approx. 6 pages)
Failure to Encrypt Leads to $4.3 Million in HIPAA Civil Money Penalties
by Practical Law Employee Benefits & Executive Compensation
| Published on 20 Jun 2018 • USA (National/Federal) |
An administrative law judge (ALJ) has upheld an assessment by the Department of Health and Human Services (HHS) of $4.3 million in civil money penalties against a health provider and covered entity under the Health Insurance Portability and Accountability Act (HIPAA). HHS's investigation of the provider began after the covered entity submitted breach reports involving the theft or loss of unencrypted devices containing individuals' electronic protected health information (ePHI).
On June 18, 2018, HHS announced that an administrative law judge (ALJ) upheld its assessment of $4.3 million in civil money penalties against a Texas-based health provider and HIPAA covered entity (CE) for alleged violations of the HIPAA Privacy and Security Rules (see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule, and HIPAA Privacy, Security, and Breach Notification Toolkit). The health provider operates inpatient and outpatient cancer treatment facilities and two diagnostic imaging clinics. According to the related press release regarding the ALJ's ruling, the penalties are the fourth largest amount ever awarded to HHS by an ALJ.
HHS's Investigation and Proposed Penalties
HHS began its investigation after the CE submitted three separate HIPAA breach notification reports in 2012 and 2013 (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans). The breach reports involved:
- The theft of an unencrypted laptop computer, used for teleworking, which contained the electronic protected health information (ePHI) of nearly 30,000 individuals, from a workforce member's residence.
- The loss of two unencrypted USB drives, which had belonged to a trainee and a visiting researcher (respectively), and collectively contained the ePHI of roughly 5,800 individuals.
HHS's subsequent investigation revealed that the CE:
- Recognized the need to encrypt its devices beginning in 2006, but failed to begin implementing enterprise-wide encryption until 2011 and still had not completed encrypting its devices as of January 2013.
- Impermissibly disclosed the ePHI of at least 34,883 individuals.
Following its investigation, HHS issued a notice of proposed determination, in which it requested the following civil money penalties:
- $2,000 per day for each day the CE failed to encrypt its electronic devices, for a total of $1,348,000 (45 C.F.R. § 164.312(a)(2)(iv)).
- $1.5 million per year for 2012 and 2013 for the impermissible disclosure of ePHI, for a total of $3 million (45 C.F.R. § 164.502(a)).
In reaching its proposed penalty determination, HHS noted several aggravating factors, including:
- The amount of time the CE continued using unencrypted devices after recognizing the need for encryption.
- The CE's actual knowledge of the need for encryption based on 2010 and 2011 information security program and annual reports and a 2011 corporate compliance risk analysis, which indicated:
- encryption was a "key risk area" that had not been mitigated;
- the CE lacked an enterprise-wide solution for encrypting devices; and
- workforce members were downloading ePHI onto portable devices for use outside the CE's facilities.
- The CE's 2012 submission of a series of breach reports involving 19 instances of stolen mobile devices containing ePHI.
ALJ's Decision
Ruling in HHS's favor on appeal, the ALJ determined that the proposed penalties were reasonable. In the ALJ's view, the CE knew of the need to encrypt its devices, but made "half-hearted and incomplete" encryption efforts. The ALJ rejected the CE's defenses, including its argument that it was not required to actually encrypt its devices so long as it implemented a mechanism to encrypt and decrypt ePHI. In the CE's view, it met this requirement by:
- Password protecting computers and portable devices.
- Requiring protected data stored on portable devices to be encrypted and backed up.
- Providing annual training on proper transmission and disposal of ePHI.
The ALJ acknowledged that HIPAA's implementing regulations do not specifically require CEs to encrypt devices. He noted, however, that the CE had chosen encryption as its mechanism for protecting ePHI, but had failed to properly implement it.
Regarding the penalty amount, the ALJ:
- Agreed that the HIPAA violations were due to reasonable cause and not due to willful neglect.
- Rejected the CE's argument that it did not know about the violations and would not have known about them by exercising reasonable diligence.
The ALJ emphasized that the CE had repeatedly acknowledged the risk posed by unencrypted devices containing ePHI. Therefore, the losses were foreseeable, even if the specific events leading to the losses were not.
Practical Impact
While settlement agreements in the HIPAA privacy and security context between HHS and CEs or business associates occur with some regularity, civil money penalties are awarded less frequently (see Legal Update, HHS Imposes $3.2 Million in Civil Money Penalties for Failure to Encrypt). The ALJ's ruling faults the CE, at length, for adopting policies that acknowledged the need for encryption and protecting confidential information (including ePHI), but not fully carrying out those policies in practice for years.
As this ruling also illustrates, stolen laptops and lost thumb drives continue to result in HHS enforcement actions (see Practice Note, HIPAA Enforcement and Group Health Plans: Settlement Agreements). Interestingly, the stolen laptop at issue here belonged to an employee-teleworker and underscores the need for HIPAA risk assessments to give special consideration to workforce members in the telecommuting context.