MD Anderson Cancer Center Appeals Against $4,348,000 HIPAA Penalty
In 2018, University of Texas MD Anderson Cancer Center was issued with a $4,348,000 civil monetary penalty by the HHS’ Office for Civil Rights (OCR) following the discovery of multiple alleged HIPAA violations that contributed to three data breaches that were experienced in 2012 and 2013.
OCR launched an investigation into the breaches and determined there had been an impermissible disclosure of the electronic protected health information (ePHI) of 34,883 patients and that HIPAA Rules had been violated as a result of the failure to use encryption. OCR reasoned that had encryption been used, the breaches could have been prevented.
MD Anderson contested the financial penalty and the case was sent to an administrative law judge who ruled that the MD Anderson must pay the financial penalty.
MD Anderson has now filed a complaint against the Secretary of the HHS and has launched an appeal with the U.S. Court of Appeals, Fifth Circuit in Texas.
MD Anderson alleges the civil monetary penalty is unlawful, that OCR has exceeded its authority by issuing the penalty, and the penalty is excessive. MD Anderson is seeking a permanent injunction to prevent OCR from collecting the penalty and have OCR cover its legal costs associated with its case.
Three counts are detailed in the complaint. MD Anderson alleges the CMP is unlawful as OCR only has the authority to issue a CMP against a person, which is either an individual, a trust, estate, partnership, or a corporation. MD Anderson is an academic institution and cancer treatment and research center that is part of the University of Texas and is a state agency and, it is argued, state agencies are except from OCR civil monetary penalties.
MD Anderson also argues that the penalty exceeds the maximum penalty for a HIPAA violation under the reasonable cause tier and that the penalty is in breach of the eighth amendment. In each of the three cases, employees acted against MD Anderson’s policies and procedures and did not take advantage of encryption technologies that were available to them. Further, no evidence has been uncovered to suggest that any information stored on the devices has been accessed, obtained, or misused.
MD Anderson also states that the use of encryption is not a requirement of the HIPAA Security Rule, which MD Anderson claims in the lawsuit is an “optional” standard.
It remains to be seen whether the appeal will be successful; however, OCR has made it clear that addressable standards are ‘optional’ requirements of the HIPAA Security Rule.
“The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI,” wrote OCR on its website. “If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.”
The penalties may appear excessive given the nature of the incidents, but OCR has the authority to issue financial penalties for “reasonable cause” up to a maximum of $1,500,000 per year. In its notice of proposed determination, OCR stated how it arrived at the penalty amount.
- Calendar Year 2011 – 283 days, from March 24 through December 31 (maximum penalty of $1,500,000).
- Calendar Year 2012 – 366 days, from January 1 through December 31 (maximum penalty of $1,500,000).
- Calendar Year 2013 – 25 days, from January 1 through January 25, 2013 (maximum penalty of $1,500,000).