June 29, 2018
Click here to read newsletter
Taylor Porter Partner and health information technology attorney Cindy Amedee had her article, "HIPAA Privacy, Security Rules Front and Center Following M.D. Anderson Breach Ruling," published in the June 2018 issue of the Louisiana Hospital Association Impact Lawbrief Newsletter.
Cindy Amedee is a partner in the Baton Rouge office of Taylor Porter, and a member of the Firm’s healthcare and healthcare information technology practice teams.
Below is the full text of the article.
"HIPAA Privacy, Security Rules Front and Center Following M.D. Anderson Breach Ruling"
By: Cindy Amedee
On June 18, 2018, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) announced a $4.3 million penalty against M.D. Anderson Cancer Center for three breaches of unprotected personal health information (PHI) that occurred in 2012 and 2013. One breach involved theft of an unencrypted laptop, and the other two breaches involved theft of unencrypted thumb drives, all of which contained personal health information. The breaches affected more than 33,000 patients.
The Department found that M.D. Anderson did not encrypt all its electronic health information, despite having a written policy regarding encryption. OCR stated that the amount of the penalty is based on the number of patients that were affected and the amount of time that M.D. Anderson was out of compliance with HIPAA. M.D. Anderson argued that it was not responsible for encrypting all the data and that not all of the data included personal health information and, therefore, was not subject to HIPAA. The Office of Civil Rights did not agree with these arguments.
On June 15, 2018, the United States District Court for the District of Columbia fell in line with other courts when it ruled that a patient has no private right of action under HIPAA against his or her health care provider for a breach of health information. A patient may file suit under some other theory of law, but the court will dismiss claims that rely on HIPAA. Patients’ sole remedy for breach of health information under HIPAA is the filing of complaints with the Secretary of the U.S. Department of Health and Human Services and/or a State’s attorney general’s office.
Health information sharing, and the rules and regulations of software, licensing and technology issues, are important issues to our health care clients, and these issues are coming to the forefront as more is being done to try to curb record hacking with the advances of technology. In keeping with Taylor Porter’s commitment to its health care clients to actively monitor the latest state and federal regulatory developments within the health care industry, our firm wants to make clients aware of these two noteworthy stories this week that focus on the growing concern of health information technology issues.
According to an article in the HIPAA Journal, “Report: Healthcare Data Breaches in Q1, 2018,” there have been 77 healthcare data breaches reported to the Department of Health and Human Services’ OCR. Those breaches have impacted more than one million patients and health plan members – almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017. The Journal reported that the main cause of breaches in Q1, 2018 was unauthorized access/disclosures – 35 incidents; followed by 15 breaches involving the loss or theft of electronic devices containing ePHI, all of which could have been prevented had encryption been used.
The two largest breaches of the year to date have affected Oklahoma State University Health Sciences Center (279,865 individual patients affected) and St. Peter’s Surgery & Endoscopy Center (134,512). In both cases, hackers gained access to the networks, and viewed and obtained patients’ PHI.
Health information sharing, and the rules and regulations of software, licensing and technology issues are important issues to healthcare companies. These issues are coming to the forefront as more is being done to try to curb record hacking with the advances of technology. These first quarter 2018 data breach numbers, the result of the M.D. Anderson breach, and the instances of several other healthcare centers’ breaches should encourage administrative leaders to take proactive measures in medical records, ehealth issues and HIPAA privacy and security to protect the information of their patients.