MD Anderson Fined and PHI Uses for Research

It has been a busy couple weeks for the Office of Civil Rights!  They are stepping up their enforcement, jailing thieves, and adding new policies.  Let’s break down the results and learn how YOU can stay off the OCR’s list!

MD Anderson

MD Anderson, the premier cancer center in Houston Texas, has been fined $4.3 Million. Why you ask? Lack of encryption on a stolen laptop and USB drives. This is a heart breaker if you ask me. MD Anderson provides world class cancer cures for people all over the globe.

OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analysis had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached. You can read the full violation here.

3 Year Jail Term for VA Employee

Not sure about you but I am not suited for Jail! A former employee at the VA Medical Center in Long Beach CA has been convicted of stealing more that 1,000 patients records. He will now spend 3 years in the state penitentiary for his crime. Stealing PHI does come with consequences and a cellmate!

Uses and Disclosure of PHI for Research

The HIPAA privacy rule does permit covered entities to use patients’ PHI for research without obtaining individual authorizations under certain circumstances. We now have new guidelines related to HIPAA authorization for research .

Individuals should be aware that revocation of an authorization does not always mean that the individual’s information may no longer be used in the research study or may no longer be used or disclosed for any other purpose. A covered entity may continue to use and disclose PHI that was obtained before the individual revoked authorization to the extent that the entity has taken action in reliance on the authorization.

The privacy rule does not require a covered entity to provide periodic reminders about an individual’s right to revoke an authorization. Instead, the privacy rule requires such entities to provide individuals with a copy of their signed authorization to ensure the individual is aware of the ongoing potential for the uses and disclosures of PHI pursuant to an authorization that has not expired.

So, what can you do?

Remember that HIPAA compliance and protecting PHI does not take a day off. Think about how your actions impact yourself, your company, your community, and your family.  As customers, and  soon to be customers, of VanRein Compliance we are always here to help guide you thru the pitfalls of HIPAA compliance.

If you have questions or concerns, feel free to schedule a 15 minute complimentary review with one of our compliance guides.