Texas Hospital Order To Pay $4.3M For Failure To Implement Its HIPAA Security Policies

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
A Texas hospital was recently ordered by an administrative law judge to pay a $4,300,000 penalty for three data breaches over the course of 2012 and 2013 ...
United States Privacy

A Texas hospital was recently ordered by an administrative law judge to pay a $4,300,000 penalty for three data breaches over the course of 2012 and 2013 that exposed the personal health information – including social security numbers, patient names and treatment records – of more than 33,000 individuals in violation of HIPAA. The specific incidents related to the theft of an unencrypted laptop and the loss of unencrypted USB flash drives, both of which contained electronic personal health information.

In reaching his decision against the hospital, the University of Texas MD Anderson Cancer Center, the judge noted that although the hospital developed and approved written encryption policies and protocols in 2006, it did not fully implement them. For example, full encryption had still not been achieved in November 2013. The judge rejected the argument that encryption of the exposed data was not required under HIPAA because the data was used for research purposes.

Putting it Into Practice: This decision is a reminder that it is not enough to create policies, procedures and protocols. Regulators will look to see that they have been implemented as well. This is a good reminder not only for those in the healthcare field, but in other industries as well.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More