Should ‘State’ Agencies Be Exempt From HIPAA? MD Anderson Says Yes

By Theresa Defino

Table of Contents

After failing to convince HHS administrative law judges (ALJs) that research data doesn’t have to be protected under HIPAA, the University of Texas MD Anderson Cancer Center has filed its third appeal to try to keep from paying $4.358 million for breaches in 2012 and 2013 that collectively exposed information about approximately 35,000 individuals.

In early April, MD Anderson filed suit against HHS Secretary Alex Azar in the U.S. District Court for the Southern District of Texas; this time it is arguing that the Office for Civil Rights (OCR) lacks the authority under HIPAA to fine MD Anderson because it is a type of state agency and that the fines imposed are excessive. Both arguments were also advanced at the ALJ level, but those judges said they did not have the jurisdiction to address them.

HHS has not yet filed its response. But to its argument that OCR exceeded allowable fines, MD Anderson seems already to have won. Just a few weeks after its suit was filed, OCR announced it would no longer apply an across-the-board annual maximum of $1.5 million, regardless of the severity of the violation. If the new fines are applied to MD Anderson, it would signal a big win for it.

Appeals Unsuccessful to Date

Typically, OCR is able to reach settlement agreements with organizations it believes have violated the privacy, security or breach notification regulations under HIPAA. OCR tried from October 2015 to August 2016 to do so, but MD Anderson refused, and in March 2017, OCR ended negotiations and moved to collect payment. MD Anderson then appealed to an ALJ, making the research argument, contending also that the data had not come to any harm or misuse, and that encryption was an “optional standard.” It raised other arguments, mounting what ALJ Judge Steven T. Kessel termed a “blizzard of arguments and counter-arguments.”

In July, OCR announced that Kessel had upheld its decision to fine MD Anderson $1.5 million for a stolen laptop and a USB drive lost in 2012 and $1.5 million for another drive reported missing in 2013. It added another $1.348 million for failing to implement access controls, specifically encryption and decryption (“Lack of Encryption Key to $4.3M Penalty For MD Anderson; ‘Layered Security’ One Solution,” RPP 18, no. 7).

At the time, MD Anderson said it was disappointed by the ruling and planned to launch a further appeal. In February, a three-member Department of Appeals Board upheld Kessel’s opinion. In a 33-page ruling, the judges dismissed MD Anderson’s claim that the security regulation does not require encryption, stating that it had planned to implement encryption but simply had delayed doing so due to financial concerns. The trio also batted back MD Anderson’s continued assertion that research data is not covered under HIPAA, relying on language in the preamble of the privacy rule as published in 2000. The appeals board said MD Anderson offered no new information to support this argument.

On April 9, MD Anderson filed a 15-page appeal in the Texas district court.

In the appeal, MD Anderson seems to be arguing that penalty amounts are also inappropriate because the “alleged disclosure violations” were out of character for the rest of the workforce, noting that they were caused by “three MD Anderson employees out of more than 21,000 over a 2-year period.”

In contrast to the earlier pleadings, it did not raise the issue of research data being exempt, but focused instead on two other arguments: that MD Anderson itself is exempt from civil monetary penalties, which it deemed inappropriately high. And it continued to dispute that it was not in compliance regarding encryption, which it defined as “optional.”

It took issue with the $2,000-per-day fine for failing to encrypt from March 24, 2011, to Jan. 25, 2013, based on a “reasonable cause” category of fines. “MD Anderson had appropriate policies in place and pursued encryption efforts in light of available technologies and considerations for uninterrupted, critical patient care,” it said in the appeal.

MD Anderson said the $3 million for the 2012 and 2013 losses of electronic protected health information equated to “the maximum amount that the OCR could impose under any level of culpability under HIPAA, making the punishment the same as in a case in which ePHI was intentionally taken to cause harm to patients and where harm was actually incurred.” The cancer center said the fines were in violation of annual caps imposed per identical violation.

Given OCR’s recent reduction in annual caps, the agency appears to agree.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings