MD Anderson Cancer Center Appeals $4.3 Million HIPAA FineOrganization List Reasons Why It Believes Breach-Related Penalty Was Not Justified
The University of Texas MD Anderson Cancer Center has filed a lawsuit arguing that a $4.3 million HIPAA penalty levied against it last year by the Department of Health and Human Services following three data breaches involving unencrypted devices was unlawful.
In the complaint filed Tuesday in a Texas federal court, MD Anderson argues that HHS, as a federal agency, does not have the authority to impose the civil monetary penalty against the cancer center because MD Anderson, which is part of the University of Texas, is a "state agency."
MD Anderson also argues that HHS exceeded its authority by imposing a civil monetary penalty "beyond the statutory caps" under HIPAA, and also exceeded its authority by imposing an "excessive" penalty in violation of the eighth amendment to the Constitution.
The healthcare provider is seeking a permanent injunction prohibiting HHS from attempting to enforce or collect the penalty imposed against MD Anderson as well as to recover its costs associated with the lawsuit.
Last June, an HHS administrative law judge granted a summary judgment to the HHS Office for Civil Rights, ruling that MD Anderson violated the HIPAA privacy and security rules. The judge approved OCR imposing a $4.3 million penalty in the aftermath of its investigations into three breaches involving unencrypted devices.
In the first of three counts laid out in the complaint, MD Anderson alleges that in issuing the penalty, OCR claimed authority under HIPAA that only authorizes the issuance of a CMP against a "person," and that the statutory definition of "person" means an individual, a trust or estate, a partnership, or a corporation.
"The definition of 'person' in HIPAA excludes the states and state agencies," the complaint argues.
In the second and third counts of the complaint, MD Anderson argues that the amount of the civil monetary penalty not only exceeds HHS's authority under HIPAA's statutory caps but also violates the eighth amendment.
"Despite the statutory cap of $100,000 per calendar year for 'reasonable cause' violations, the HHS secretary ordered that MD Anderson pay a CMP totaling $4,348,000 for the alleged violations, an amount almost 10 times more than the statutory caps," MD Anderson argues.
The cancer center also states: "The excessive fines clause [of the eight amendment] ... limits the government's power to extract payments, whether in cash or in kind, as punishment for some offense."
In its complaint, MD Anderson argues that HHS levied the penalty against the healthcare provider for "alleged violations of an optional encryption standard; the theft of a laptop in a home burglary; and the loss of two USB drives" - all of which MD Anderson reported to OCR.
"Following each instance, there has been no evidence that any information from the devices was ever accessed or disclosed, and no individuals whose information was contained on the devices has been harmed by the theft or loss of the of the devices," MD Anderson states.
During the time of the alleged HIPAA violations, MD Anderson contends, it had "appropriate policies in place and pursued encryption efforts in light of available technologies and considerations for uninterrupted, critical patient care," the complaint notes.
The employees involved in the loss or theft of the devices "acted contrary to MD Anderson policies, training and compliance efforts, as well as ignored or refused to take advantage of the encryption technologies MD Anderson made available to them," the complaint says.
MD Anderson argues that its "self-reported losses of three pieces of equipment out of tens of thousands of devices by three employees out of more than 21,000 over a two-year period cannot objectively be viewed as warranting the highest level of CMP allowable by law for any HIPAA offense under any level of culpability."
Statement from MD Anderson
In a statement provided to Information Security Media Group, MD Anderson says: "Throughout this legal process, MD Anderson has committed to bringing this matter to federal court given its status as a state institution and the failure of the administrative judges to consider all of MD Anderson's legal arguments. Additionally, given the circumstances of the incidents, we believe the penalties are inappropriate and excessive.
"Regardless of the final decision, MD Anderson hopes this process brings transparency, accountability and consistency to the OCR's enforcement process. The institution remains committed to safely protecting patient information."
OCR did not immediately respond to ISMG's request for comment.
Analysis of Legal Argument
The argument that MD Anderson makes in claiming that HHS has no authority to impose a HIPAA penalty on the healthcare provider because it is a state agency is "creative" but will ultimately fail, predicts privacy attorney David Holtzman of security consultancy CynergisTek.
"The definition that MD Anderson is calling into question was amended to ensure that all of the HIPAA administrative simplification provisions applied equally to all healthcare organizations, public or private," he says. Congress' purpose in enacting the HIPAA provisions would have been stymied had the definition of "person" not been sufficiently broad to encompass all the entities that are covered entities or business associates, he adds.
Holtzman also does not buy MD Anderson's argument that because encryption is "addressable" under HIPAA it is therefore "optional."
"It is well understood that the HIPAA Security Rule's 'addressable' implementation specifications are not optional," he says.
Under HIPAA, covered entities and business associates are allowed flexibility in "addressing" certain specifications, such as encryption, if they can demonstrate through an information security risk analysis that an alternative approach is equally effective in safeguarding PHI, Holtzman explains.
Reacting to MD Anderson's argument that the penalty amounts levied are excessive, Holtzman says: "OCR alleged that MD Anderson had long-standing, systemic failures to put into place reasonable information security practices, which were the root cause of repeated incidents that resulted in the unauthorized disclosures of e-PHI."
OCR generally imposes a civil monetary penalty only in those HIPAA cases that involve a lack of cooperation with investigators or the failure to take recommended steps to correct security deficiencies. An organization has the right to appeal the penalties to an administrative law judge.
MD Anderson in its complaint notes that OCR in March 2017 notified the Houston-based healthcare provider that it was seeking to impose a civil monetary penalty. The cancer center then objected to OCR's authority to impose the penalty and appealed to an HHS administrative law judge, which ultimately ruled in favor of OCR. MD Anderson then appealed the HHS administrative law judge's decision to HHS' Departmental Appeals Board, which also refused to consider certain MD Anderson arguments and defenses, the complaint notes.
Aside from the MD Anderson case, OCR has issued civil monetary penalties in just three other previous cases, but has so far only collected in two of those cases.
The HIPAA enforcer issued its first civil monetary penalty back in 2011 against Cignet Health for violations of the HIPAA Privacy Rule. OCR officials say Cignet filed for bankruptcy and did not end up paying the $4.3 million penalty.
"There have been a number of resolution agreements settling claims that public entities and institutions operating healthcare facilities have failed to comply with the HIPAA rules," says Holtzman, a former adviser at OCR .
"It is disturbing that MD Anderson continues to place its attention and efforts into fighting the adoption of industry accepted best practices. One has to wonder if the citizens of Texas, and the patients of this health center, are being well served through this adversarial approach that does nothing to further the protection of their sensitive information from unauthorized disclosures."