Cookies on BBB.org

We use cookies to give users the best content and online experience. By clicking “Accept All Cookies”, you agree to allow us to use all cookies. Visit our Privacy Policy to learn more.

Cookie Preferences

Many websites use cookies or similar tools to store information on your browser or device. We use cookies on BBB websites to remember your preferences, improve website performance and enhance user experience, and to recommend content we believe will be most relevant to you. Most cookies collect anonymous information such as how users arrive at and use the website. Some cookies are necessary to allow the website to function properly, but you may choose to not allow other types of cookies below.

Necessary Cookies

What are necessary cookies?
These cookies are necessary for the site to function and cannot be switched off in our systems. They are usually only set in response to actions made by you that amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not work. These cookies do not store any personally identifiable information.

Necessary cookies must always be enabled.

Functional Cookies

What are functional cookies?
These cookies enable the site to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, some or all of these services may not function properly.

Performance Cookies

What are performance cookies?
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Marketing Cookies

What are marketing cookies?
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant content on other sites. They do not store personal information directly, but are based on uniquely identifying your browser or device. If you do not allow these cookies, you will experience less targeted advertising.

Additional Information

Additional Information for University of Texas M.D. Anderson Cancer Center

View full profile
Location of This Business
1515 Holcombe Blvd, Houston, TX 77030-4000
BBB File Opened:
2/13/1999
Years in Business:
83
Business Started:
1/1/1941
Accredited Since:
11/14/2002
Alternate Business Name
  • U.T.M.D. Anderson Cancer Center
  • M.D. Anderson Cancer Center
  • UTMDACC
Business Management
  • Ms. Miriam Flores, Director of Finance
  • Mr. Peter Pisters MD, President
Contact Information

Customer Contact

  • Ms. Miriam Flores, Director of Finance
Additional Contact Information

Fax Numbers

  • (713) 792-0795
    Primary Fax
  • (713) 745-1782
    Other Fax

Phone Numbers

Email Addresses

Website Addresses

Additional Business Information
Government Actions
Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations

Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations

A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.

MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 , and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”

The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html

Serving Area
  • 77008
  • 77380
  • 77381
  • 77382
  • 77384
  • 77385
  • 77386
  • 77387
  • 77393
  • 77584
  • 77588
Payment Methods
  • American Express, Discover, MasterCard and Visa; checks and cashier's checks, as well as cash
Refund and Exchange Policy
  •  

Business Categories
Hospital, Charity Foundations

BBB Business Profiles may not be reproduced for sales or promotional purposes.

BBB Business Profiles are provided solely to assist you in exercising your own best judgment. BBB asks third parties who publish complaints, reviews and/or responses on this website to affirm that the information provided is accurate. However, BBB does not verify the accuracy of information provided by third parties, and does not guarantee the accuracy of any information in Business Profiles.

When considering complaint information, please take into account the company's size and volume of transactions, and understand that the nature of complaints and a firm's responses to them are often more important than the number of complaints.

BBB Business Profiles generally cover a three-year reporting period. BBB Business Profiles are subject to change at any time. If you choose to do business with this business, please let the business know that you contacted BBB for a BBB Business Profile.

As a matter of policy, BBB does not endorse any product, service or business. Businesses are under no obligation to seek BBB accreditation, and some businesses are not accredited because they have not sought BBB accreditation.