If MD Anderson Cancer Center gets its way, a federal court will declare that the Texas hospital doesn’t ever have to pay civil monetary penalties (CMP) for violating HIPAA privacy or security regulations. In its April 9 appeal of a $4.3 million penalty stemming from breaches caused by unencrypted thumb drives and a laptop, MD Anderson argued that CMPs don’t apply to “states and state agencies” like MD Anderson because they were not included in the 1996 HIPAA statute, and the HHS Office for Civil Rights (OCR) overstepped by adding them to the HIPAA regulations. MD Anderson also argued that the penalty—which was upheld last year by an administrative law judge (ALJ) – exceeds statutory caps on HIPAA violations.
The appeal’s prospects for success are iffy because HHS acknowledged in its enforcement regulations that it was adding states and state agencies to the original statute, but “a victory would be significant,” says attorney Thora Johnson, with Venable in Baltimore, Maryland. If MD Anderson wins, it would put public hospital districts and other state agencies potentially in the position of saying “OCR doesn’t have any enforcement authority over us. We are complying because ‘it is the right thing to do,’” she says. “We will see in time how strong an argument it is. MD Anderson is certainly pointing out a potential weakness.” Either way, states and state agencies may have obligations under other state and federal laws to keep health information private and secure, Johnson notes.
The case also illustrates how easily the need for encryption can fall through the cracks at large health systems, says attorney Joseph Dickinson, with Smith Anderson in Raleigh, North Carolina. “They have so many assets—laptops, phones, thumb drives and pagers—that need to be encrypted that the human resources needed to make that happen can be prohibitive,” he says. “They probably don’t even have an accurate list of all devices with protected health information.” Health systems make themselves more vulnerable by developing policies and procedures without ensuring they’re implemented and followed, Dickinson says. That was at the heart of the allegations against MD Anderson, which reiterated in the appeal that no patients were harmed by the breaches.