We are surprised to read this morning that The University of Texas MD Anderson Cancer Center (MDA) filed a Fifth Circuit Court of Appeals petition asking that their previously (HHS) appealed decision be reviewed. For those that do not remember, MDA endured a $4.3M civil monetary penalty (not corrective action plan), after losing ePHI on three unencrypted devices.
It is reported that MDA tried arguing that an "addressable" HIPAA citation means that the security control cited is "optional". It is also reported that the HHD appeals process revealed "... indisputable evidence that MDA determined that encryption of its portable electronic devices was reasonable and appropriate ...". To be clear, Security Rule addressable citations are discussed at §164.306(d)(3) and Covered Entities or Business Associates must:
assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, then either:
implement the implementation specification if reasonable and appropriate; or
document why it would not be reasonable and appropriate to implement the implementation specification and implement an equivalent alternative measure if reasonable and appropriate.
What are the takeaways?
encrypt data at rest, especially where portable ePHI is stored (e.g. backup media, laptops & tablets, USB devices, etc.), or
have one REALLY GOOD justification why not and a BIG checkbook.
We don't know who is advising MDA and frankly it wouldn't change the case or poor decisions MDA continues to make. It's important that when HIPAA expertise is needed that proper counsel is obtained - someone that works HIPAA and knows the Rules - and to understand that a good consulting company like ours can easily show how to implement a compliant and secure program. I wonder how close the years of lawyers fees compare to the HHS CMP judgement...