Lessons from MD Anderson's HIPAA Judgment

Dale Cooke*

INTRODUCTION

On June 1, 2018, a Health and Human Services (HHS) Administrative Law Judge

(ALJ) granted summary judgment in favor of the HHS Office for Civil Rights (OCR) in its

complaint against the University of Texas MD Anderson Cancer Center (MD Anderson)

for multiple violations of the Health Insurance Portability and Accountability Act of 1996

(HIPAA) for failure to protect electronic Protected Health Information (ePHI).1 The

judgment imposed more than $4.3 million in civil monetary penalties (CMP) on MD

Anderson for its violations.2 The decision was remarkable for several reasons. First, the

award was the fourth largest amount ever imposed for HIPAA violations.3 Second, this

judgment was only the second ALJ summary judgment in the history of OCR's HIPAA

enforcement.4 Third, the judgment came in the context of an overall environment where

HHS OCR HIPAA enforcement is markedly down.5

* Dale Cooke is the president of PhillyCooke Consulting, which helps companies use 21st
century technology to communicate about FDA-regulated products while remaining compliant
with regulations written in the 1960s. Dale Cooke received his bachelor's degree from Southern
Methodist University, his master's degree from the University of Arizona, and anticipates
receiving his juris doctorate degree from the Drexel University's Thomas R. Kline School of Law
in 2019. In addition, he studied health care compliance at Seton Hall University School of Law
School and epidemiology and biostatistics at Drexel University's School of Public Health.
1
Director of the Office for Civil Rights v. The University of Texas MD Anderson Cancer Center
(1 June 2018), Decision No. CR5111, 1 at 1.
2
Id.
3
Press Release, U.S. Dep't of Health & Human Servs., Judge rules in favor of OCR and
requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations (June 18,
2018), https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-
texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html.
4
Id.
5
2018 Mid-Year FDA and Health Care Compliance And Enforcement Update - Providers (July
26, 2018), Gibson Dunn, https://www.gibsondunn.com/2018-mid-year-fda-health-care-
compliance-and-enforcement-update-providers/, 15.

Page 1 of 8
 This paper looks at the judgment and assesses its implications for other

providers and for possible weaknesses in the current enforcement paradigm. First, it

sets forth the relevant requirements of HIPAA and the factual background. Next, it

explains the nature of MD Anderson's violations and the judgment rendered by the ALJ.

Then, it examines the policy implications of the defenses offered by MD Anderson and

their rejection by the ALJ. Finally, the paper concludes with a look at the role the cap on

penalties plays in limiting deterrence of HIPAA violations.

RELEVANT HIPAA REQUIREMENTS

HIPAA required HHS to establish standards for the protection of personally

identifiable healthcare information unless Congress enacted preemptive privacy

legislation.6 Because Congress failed to act, HHS established such standards via the

so-called "Privacy Rule," which was initially published in November 1999 and finalized

in modified form in 2002.7

The Privacy Rule required "covered entities," which includes health care

providers, to "maintain reasonable and appropriate administrative, technical, and

physical safeguards to prevent intentional or unintentional use or disclosure of protected

health information."8 Protected health information (PHI) includes information about a

patient's treatment, diagnosis, heath condition, or payment information for provision of

healthcare.9 ePHI is simply PHI that is stored or transmitted electronically.10

6
Department of Health and Human Services, Summary of the HIPAA Privacy Rule, 1-2, May
2003, https://www.hhs.gov/sites/default/files/privacysummary.pdf (last visited Oct. 5, 2018).
7
Id. at 2.
8
Id. at 14.
9
Id. at 4.
10
45 CFR 160.103.

Page 2 of 8
FACTUAL BACKGROUND

MD Anderson is a large cancer treatment center that "operates six cancer

treatment hospitals and two diagnostic imaging clinics in the Greater Houston area."11

As such, MD Anderson qualifies as a covered entity for the purposes of the HIPAA

Privacy Rule. MD Anderson had enormous amounts of ePHI regarding its patients and

was aware of its obligations under the Privacy Rule to ensure that the ePHI it

possessed was maintained appropriately to prevent unintentional release of that

information.12 MD Anderson had a policy requiring that all ePHI was encrypted to

prevent its unintentional release.13 Despite having a policy requiring that ePHI was

encrypted, a significant amount of the ePHI at MD Anderson was stored on computers

and other devices that were not encrypted as of 2013.14 MD Anderson identified in its

internal annual reports of 2010 and 2011 that its failure to implement encryption on all

devices storing ePHI created a "key risk area that is not currently mitigated."15

In 2012 and 2013, MD Anderson experienced three unintentional releases of

ePHI.16 First, an unencrypted laptop that contained ePHI was stolen.17 Second, an

unencrypted universal serial bus (USB) drive containing ePHI was lost.18 Third, a

11
Department of Health and Human Services, Notice of Proposed Determination,
RE: OCR Transaction Numbers 12-145395, 12-147543, and 14-175214, Mar. 24, 2017, 2,
https://www.hhs.gov/sites/default/files/md-anderson-npd-signed.pdf (last visited Oct. 5, 2018).
12
Id. at 2-3.
13
Id. at 3.
14
Id. at 4.
15
Id. at 4 (internal quotation marks omitted).
16
Id. at 3.
17
Id.
18
Id.

Page 3 of 8
separate unencrypted USB drive with ePHI was lost.19 In total, ePHI associated with

more than 30,000 patients was breached.

ALLEGED VIOLATIONS OF PRIVACY RULE

In response to a notification of the breaches described above, OCR notified MD

Anderson that it considered MD Anderson in violation of its obligations under the

Privacy Rule and proposed a settlement of $4.3 million in CMP.20 The settlement

proposal comprised $1.3 million for failure to encrypt its devices and $1.5 million per

year for two years for the disclosures of ePHI of more than 30,000 individuals.21

ALJ JUDGMENT

MD Anderson declined the settlement offer from OCR and requested a hearing

before an ALJ pursuant to 45 CFR 160.420(b). The ALJ upheld OCR's imposition of

$2,000 per day for violations of the Privacy Rule and agreed with OCR that the

disclosure of ePHI for more than 30,000 individuals should receive the maximum

allowable amount of $1.5 million per year in CMP.22 In reaching this judgment, the ALJ

rejected several arguments from MD Anderson that would have significantly undercut

the deterrent effect of the CMPs on covered entities.

First, MD Anderson argued that it could not be held accountable for the release

of ePHI unless there were proof that the ePHI was accessed by someone who was not

authorized for access to it.23 In essence, this argument would have required that OCR

find the thief who stole the laptop and the laptop itself and perform a forensic analysis

on the laptop to see whether the thief (or any other party) had actually accessed the

19
Id.
20
Id. at 8.
21
Id.
22
OCR v. MD Anderson, p. 1.
23
Id. at 10.

Page 4 of 8
ePHI files. Regarding the lost USB drives, again OCR would have been responsible for

finding those devices and determining who had accessed what information on them.

The ALJ rejected this argument noting that accepting these arguments would allow MD

Anderson to "literally cast ePHI to the winds and be immune from penalty so long as

OCR fails to prove that someone else received and viewed that information."24

Second, MD Anderson argued that the ePHI release should be covered by the

research exclusion to HIPAA protections.25 The ALJ notes that MD Anderson's position

would create a massive loophole such that any covered entity that had a research

division could claim that breaches of the research functions were not covered by the

Privacy Rule.26 By contrast, the actual intent of the research exemption to the Privacy

Rule was to enable entities such as MD Anderson to transmit covered ePHI to research

functions without being accused of a breach by virtue of that transfer itself. The intention

was not to say that any subsequent release by the researchers was also excused.

Third, MD Anderson argued that it should not be held accountable for the actions

of the thief who stole the laptop.27 The ALJ noted that OCR was not holding MD

Anderson responsible for the theft of the laptop.28 Instead, OCR was holding MD

Anderson accountable for the failure to encrypt the laptop.29 Had the laptop been

encrypted when it was stolen, MD Anderson might have had an adequate defense to

the alleged HIPAA violations.

24
Id.
25
Id. at 11.
26
Id.
27
Id. at 12.
28
Id.
29
Id.

Page 5 of 8
 Had any of these three arguments by MD Anderson succeeded, the deterrence

of the CMPs would have been essentially eliminated because the burden on OCR to

establish the violation would have been too high to effective bring future enforcement.

POLICY IMPLICATIONS

The maximum civil monetary penalties that might have been levied for the

violations by MD Anderson were $50,000 per day. Consequently, in agreeing to award

the $2,000 per day sought by OCR, this judgment represents only four percent (4%) of

the total liability to which MD Anderson could have been subjected. As such, it is

possible to see this judgment either as historically high because it was the fourth largest

award ever or as extremely low because it could have been $100 million.

The ALJ's rejection of MD Anderson's absurd defenses was a strong

reinforcement of the concept that OCR has the authority to hold covered entities

accountable for the unintentional release of ePHI that is caused by their irresponsible

maintenance data, but that strong endorsement is tempered by the relatively low cost of

the penalties.

CAP'S ROLE IN LIMITING PENALTY

It is worth noting the important role that the cap on CMP is playing in both the

determination of the appropriate penalty and the total penalty assessed against MD

Anderson. HIPAA created a $1.5 million cap per year for violations of the Privacy Rule.

In 2012 (one of the years covered by the judgment), MD Anderson had $3 billion in net

patient revenue.30 Consequently, the total CMP imposed by OCR for more than two

years of violations amounted to less than 0.15% of MD Anderson's net revenue for a

30
MD Anderson, Annual Report 2011-2012, 86,
https://www.mdanderson.org/documents/publications/annual-report/Finance2012.pdf (last
visited Oct. 5, 2018).

Page 6 of 8
single year. It is unclear whether Congress or OCR envisioned the scope of the

violations of HIPAA's Privacy Rule that might occur.

It is safe to say that $4.3 million would seem to be a large sum absent knowledge

of the specific violations or the violator. In the abstract, such a penalty would appear to

provide adequate deterrence for covered entities to avoid breaches of ePHI. However,

given the revenues of large health care providers, it is reasonable to worry that some

health care providers might simply see potential HIPAA violations as a cost of doing

business that can easily be absorbed. Furthering this concern is not merely the paltry

sum of the penalties relative to MD Anderson's revenues but also the significant costs of

compliance. According to HHS, MD Anderson had 33,385 computers in its inventory

during the period when the violations occurred.31 Assuming a cost of $1,000 per

computer to upgrade each computer to a fully encrypted system, MD Anderson was

facing a cost of more than $33 million to complete the upgrade. That estimate does not

include the cost of providing additional encrypted USB drives and recalling unencrypted

devices.

Given the certainty of the cost for upgrading the entire system and the

uncertainty of whether a breach caused by failing to upgrade the computers would

happen, it is legitimate to wonder whether the caps on CMP are creating unwelcome

cost-benefit analyses by covered entities prior to ensuring compliance. It is reasonable

to speculate that one reason for the delay by MD Anderson in remedying the

acknowledged risk was that the high cost of compliance was deemed excessive relative

to the comparatively low capped penalties. MD Anderson could reasonably have

31
HHS, supra note 11, at 4.

Page 7 of 8
believed prior to this judgment that its total exposure would be $1.5 million per year, so

it could see 22 years of penalties as equal to the one-time cost of an upgrade.

CONCLUSION

The ALJ's summary judgment is a significant step for OCR's ability to enforce

compliance with the HIPAA Privacy Rule's requirements. It signals to covered entities

that their delay in fully implementing steps to protect ePHI creates a nontrivial financial

liability that should provide an incentive to covered entities to ensure the protection of

ePHI. At the same time, the cap on CMPs of $1.5 million per year for individual

violations shows the limitations of the incentives. While $4.3 million is a significant

penalty, the cost of full compliance with the Privacy Rule's requirements could be even

larger. As such, there still might be some covered entities that are willing to risk a

breach and face the uncertain risk of possible penalties rather than fund the certain

expenses of compliance. If Congress or OCR wants to eliminate such breaches, it might

be time to revisit the CMP caps.

Page 8 of 8