ALJ Requires MD Anderson Cancer Center to Pay $4.3M for HIPAA Violations
The U.S. Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR") announced earlier this month that an HHS administrative law judge ("ALJ") ruled in favor of the OCR on summary judgment and required MD Anderson Cancer Center (“MD Anderson”) to pay more than $4.3 million in civil monetary penalties to the OCR for HIPAA violations. According to the OCR’s press release about the ruling, this was the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million penalty is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations. The ALJ fines included daily fines for MD Anderson’s non-compliance over a 22-month period and annual fines of $1.5 million for each of two calendar years.
OCR's investigation of MD Anderson began after MD Anderson filed three separate HIPAA breach reports in 2012 and 2013, which collectively affected more than 34,000 individuals. The first breach related to a stolen, unencrypted laptop, while the other two breaches related to the loss of unencrypted USB thumb drives. The OCR's investigation revealed that at the time of the breaches, MD Anderson had written policies requiring encryption. Notwithstanding the policies, MD Anderson did not begin encrypting laptops for multiple years thereafter and the ALJ noted in his written opinion that MD Anderson "made only half-hearted and incomplete efforts at encryption." MD Anderson recognized the need to encrypt data in 2006. The ALJ opinion noted that as of November 2013 more than 4,400 MD Anderson computers were not encrypted and that as of January 2014 more than 2,600 MD Anderson computers were not encrypted. Further, an MD Anderson 2011 risk analysis had identified the lack of an enterprise-wide encryption solution as a "high risk" area.
On March 24, 2017, the OCR issued a Notice of Proposed Determination, suggesting MD Anderson pay civil monetary penalties of just over $4.3 million for (1) failure to encrypt electronic devices; and (2) impermissible disclosure of electronic protected health information ("ePHI"). MD Anderson thereafter requested a hearing before an ALJ. In granting summary judgment in favor of OCR, the ALJ sustained the imposition of the $4.3 million in civil monetary penalties. The ALJ rejected arguments by MD Anderson that MD Anderson was not obligated to encrypt its devices; that the ePHI at issue was for "research," and therefore not subject to HIPAA's nondisclosure requirements; and that the proposed civil monetary penalties were unreasonable.
The ALJ asserted that it did not have authority to hear three arguments raised by MD Anderson, each related to the validity and proprietary of the HIPAA regulations:
- The regulatory definition of a "person" inappropriately broadens the statutory definition to include an agent of a state;
- The regulations allow for greater penalties than what is permitted by the HIPAA statue; and
- The civil monetary penalties proposed by the OCR violate the excessive fines clause of the 8th Amendment of the U.S. Constitution.
The ALJ was dismissive of the briefing arguments made by MD Anderson. The ALJ noted, "This case is in its present posture because [MD Anderson] recognized a problem, consisting of the vulnerability of its ePHI to unauthorized disclosure including by loss or theft, devised a mechanism to protect ePHI that included encryption of devices, and failed to implement that mechanism."
With respect to the $4.3 million penalty, the ALJ noted that MD Anderson is a "multi-billion dollar per year business" and "[r]emedies in this case need to be more than a pinprick in order to assure that [MD Anderson] and similarly situated entities comply with HIPAA’s non-disclosure requirements."
A copy of the ALJ decision is available online.
The MD Anderson ruling emphasizes the importance of an effective HIPAA security program and the importance of timely efforts to ensure full compliance. In particular, (1) areas identified as "high risk" in HIPAA risk analyses should be diligently and promptly addressed/mitigated; and (2) covered entities and business associates should follow their own policies. The daily penalties and annual penalties imposed should serve as an important reminder of the costly impact of HIPAA non-compliance.
For more information relating to Saul Ewing Arnstein & Lehr’s Health Care Practice, please contact the authors or the Saul Ewing Arnstein & Lehr attorney with whom you are regularly in contact.