Despite no evidence of a breach, the cancer center, by not encrypting data, was ordered to pay. What happened with the University of Texas MD Anderson Cancer Center reads like a cautionary tale of not following HIPAA encryption requirements. One serious violation included the theft of an unencrypted laptop, also in violation of HIPAA encryption requirements.Įncryption Requirements: The Case of University of Texas MD Anderson Cancer Center The same year, CardioNet, a company that specializes in mobile electrocardiograms, accrued a $2.5-million fine. In 2017, Children’s Medical Center of Dallas was issued a fine for $3.2 million, in part, for failing to encrypt phone and laptop that were stolen, violating HIPAA requirements. Similarly, Fresenius Medical North America picked up a $3.5 million fine, and lack of encryption was one of several noted violations. Last year, the Department of Health and Human Service’s (HSS) Office of Civil Rights (OCR) issued a $4.3 million fine to University of Texas MD Anderson Cancer Center, in part, for no encryption. Often, the health facilities or contractors were cited for lackluster encryption – paying fines even with no evidence of a data breach. Even though several settlements were reached, many entities paid substantial fines.
In 2018, HIPAA penalties hit an all-time high.
We recommend to use encryption as a method to secure data and devices! Meeting HIPAA requirements with electronic data encryption is a good place to start, but we also recommend a few additional measures beyond simple encryption to help prevent costly data breaches.
When it comes to HIPAA compliance, the way you store sensitive data is just as important as where. HIPAA Encryption requirements? Not really! To be sure, encryption may not always be directly required, but it is often best practices.