Issue link: https://beckershealthcare.uberflip.com/i/1027775
48 HEALTHCARE NEWS MD Anderson slapped with $4.3M penalty for HIPAA violations By Jessica Kim Cohen A n HHS administrative law judge upheld an HHS Office for Civil Rights finding requiring the University of Texas MD Anderson Cancer Center in Houston to pay $4,348,000 in civil penalties for HIPAA violations related to the organization's encryption policies, HHS confirmed June 18. Here are five things to know about the ruling: 1. MD Anderson was investigated aer three data breach reports in 2012 and 2013. e reports involved the the of an unencrypted laptop from an employee's residence and the loss of two unencrypt- ed flash drives containing unencrypted electronic protected health information of more than 33,500 people. 2. e investigation found that although MD Anderson had en- cryption policies from as early as 2006, it did not adopt system- wide encryption of ePHI until 2011. e OCR said MD Anderson also failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013. 3. In response to the findings, MD Anderson said it was not obli- gated to encrypt its devices, in part because the ePHI in question was for research, and thus not subject to HIPAA's nondisclosure requirements. MD Anderson also argued HIPAA's penalties were unreasonable. "Patient privacy is of extreme importance at e University of Tex- as MD Anderson Cancer Center, and substantial measures are in place to ensure the protection of private patient information," an MD Anderson spokesperson emailed Becker's Hospital Review June 19. "In all three cases involving the loss or the of devices reviewed by the administrative law judge, there is no evidence any patient information was viewed or any harm to patients was caused." 4. However, the administrative law judge agreed with the ar- guments and findings of the OCR and upheld its determination of $4,348,000 in penalties, based on each day of MD Anderson's noncompliance with HIPAA and for each record of individuals breached. e judge said MD Anderson's, "dilatory conduct is shocking given the high risk to its patients resulting from the un- authorized disclosure of ePHI." "OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations," OCR Director Roger Severino, said in a June 18 statement. "We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information." 5. MD Anderson said it plans to appeal the administrative law judge's ruling. "We are disappointed by the ALJ's ruling, and we are concerned that key exhibits and arguments were not considered," a health system spokesperson wrote. "Regardless of the ALJ's decision, we hope this process brings transparency, accountability and consis- tency to the Office for Civil Rights' enforcement process." n New technology, ancient origins: How Epic, Cerner & more got their names By Jessica Kim Cohen M ost EHR vendors have barely hit their 50th anniversa- ry, but their namesakes trace back to origins as early as ancient Rome and early Greek mythology. Here's how four major players in the EHR market got their names: Athenahealth: Jonathan Bush and Todd Park founded the company in 1997 as a medical practice and birthing clinic in San Diego called Athena Women's Health — a reference to Ath- ena, the Greek goddess of wisdom and war. Mr. Bush and Mr. Park noticed their team was expending significant effort to get reimbursed for their services and decided to take a stab at de- veloping their own solution. They soon rebranded the company — now a cloud-based IT services provider for medical practices beyond women's health — as athenahealth, keeping the name "Athena" for its association with wisdom and strength. Cerner: Neal Patterson, Paul Gorup and Cliff Illig launched Cerner in 1979 as a software company called PGI & Associates, based on the first letters of their three last names. Five years lat- er the company launched its first product, PATHnet, a laboratory information systems program for pathology practices. The three founders chose to rename the company following the product's launch in 1984, and selected the name Cerner, derived from the Latin word cernere, which loosely translates as "to discern." The company chose the name Cerner because Jeanne Lillig-Patter- son, Mr. Patterson's wife, liked it, according to Forbes. Epic: Judy Faulkner famously founded Epic in a Wisconsin base- ment in 1979. The company, originally called Human Services Computing, developed data analysis software for local govern- ments and the University of Wisconsin-Madison psychology department, according to the Madison newspaper Isthmus. The company rebranded as Epic in 1983 after releasing a patient scheduling program. Today, the company's website notes that an epic is a "glorious recounting of a nation's events … [and] like the Iliad or the Odyssey, our electronic health records chronicle the story of a patient's healthcare over time." Meditech: Meditech's story begins in 1964 — five years before it formally opened for business — when the company's found- er A. Neil Pappalardo developed a computer programming language designed for the healthcare industry. The language, MUMPS, or the Massachusetts General Hospital Utility Multi-Pro- gramming System, is still in use today. Mr. Pappalardo believed computer systems would be able to streamline care processes throughout a hospital, and he expanded his software vision into the health IT company Medical Information Technology in 1968, which opened its doors in 1969. Today, the company's name is almost always abbreviated as Meditech. Editor's note: Allscripts, which does not outline company history on its website, did not respond to Becker's Hospital Review's re- quest for comment July 25.n