MD Anderson Cancer Center Contests $4,348,000 HIPAA Civil Monetary Penalty

In 2018, the HHS’ Office for Civil Rights (OCR) issued a $4,348,000 civil monetary penalty (CMP) to University of Texas MD Anderson Cancer Center after discovering several alleged HIPAA violations that resulted to three data breaches in 2012 and 2013.

OCR investigated the breaches and found an impermissible disclosure of 34,883 patients’ electronic protected health information (ePHI) and a violation of HIPAA Rules involving the failure to encrypt data. If encryption was used, it would have prevented the breaches.

MD Anderson contested OCR’s decision and so the case was decided by an administrative law judge who said it is just right for MD Anderson to pay the financial penalty.

MD Anderson filed a complaint against HHS and submitted an appeal to the U.S. Court of Appeals in Fifth Circuit in Texas.

MD Anderson detailed three counts in the complaint. The first claim is the unlawful issuance of civil monetary penalty against MD Anderson. The second claim is that OCR exceeded its authority when it issued the civil monetary penalty. The third claim is that the civil monetary penalty is too much.

MD Anderson is an academic institution and a part of the University of Texas’ cancer treatment and research center. Since OCR is only given the authority to issue a penalty against a person, a trust, partnership, corporation or estate, MD Anderson argued that it is exempted from OCR civil monetary penalties.

MD Anderson additionally states that the penalty was over the maximum penalty allowed for a HIPAA violation under the reasonable cause tier and the penalty violates the eighth amendment. In all three cases, the employees’ actions were against MD Anderson’s policies and procedures and failed to use the available encryption technologies. Additionally, no evidence was found to indicate the access or misuse of any information stored on the devices. MD Anderson likewise claims that encryption is not required by the HIPAA Security Rule but rather an “optional” standard.

MD Anderson is trying to get a permanent injunction to avoid paying OCR the penalty and have OCR pay for the legal costs incurred because of the case. The success of the appeal is uncertain; but, OCR made it clear that addressable standards are ‘optional’ HIPAA Security Rule requirements. That means that encryption must be implemented if the entity finds it a reasonable and appropriate safeguard for ePHI after conducting a risk assessment. If the entity chooses not to implement encryption, it must be documented and there should be an equivalent alternative control implemented.

The penalties may seem too much considering the nature of the breaches, but OCR is authorized to issue financial penalties up to $1,500,000 per year for “reasonable cause.” OCR explained how it computed the penalty amount in a notice of proposed determination https://www.hhs.gov/sites/default/files/md-anderson-npd-signed.pdf .

For 2011 – from March 24 through December 31 is 283 days (maximum penalty of $1,500,000).
For 2012 – from January 1 through December 31 is 366 days (maximum penalty of $1,500,000).
For 2013 – from January 1 through January 25, 2013 is 25 days (maximum penalty of $1,500,000).