Thora Johnson was quoted on June 19, 2018, in Bloomberg Law on the importance of encrypting healthcare data, in light of the recent $4.3 million penalty levied on the MD Anderson Cancer Center for privacy violations, which signals to healthcare companies the need to act quickly to remedy compliance violations with the Health Insurance Portability and Accountability Act (HIPAA).
Ms. Johnson said that encryption is technically not required under HIPAA, but the OCR has been signaling for some time that in many cases it’s a reasonable measure to employ. The summary judgement against MD Anderson is sure to drive that message home.
Even if a healthcare organization determines that full encryption isn’t feasible, the ruling is a good reminder that an obligation exists to implement another, equivalent security measure to protect patient data, noted Johnson.
MD Anderson may have chosen not to settle with the OCR because it thought the administrative law judge would come up with a lower penalty than the OCR, which turned out not to be the case. The decision to argue the case in front of the administrative law judge may also have stemmed from a desire to avoid entering into a corrective plan with the OCR, Johnson added.