Beruflich Dokumente
Kultur Dokumente
Dale Cooke*
INTRODUCTION
On June 1, 2018, a Health and Human Services (HHS) Administrative Law Judge
(ALJ) granted summary judgment in favor of the HHS Office for Civil Rights (OCR) in its
complaint against the University of Texas MD Anderson Cancer Center (MD Anderson)
for multiple violations of the Health Insurance Portability and Accountability Act of 1996
(HIPAA) for failure to protect electronic Protected Health Information (ePHI).1 The
judgment imposed more than $4.3 million in civil monetary penalties (CMP) on MD
Anderson for its violations.2 The decision was remarkable for several reasons. First, the
award was the fourth largest amount ever imposed for HIPAA violations.3 Second, this
judgment was only the second ALJ summary judgment in the history of OCR's HIPAA
enforcement.4 Third, the judgment came in the context of an overall environment where
* Dale Cooke is the president of PhillyCooke Consulting, which helps companies use 21st
century technology to communicate about FDA-regulated products while remaining compliant
with regulations written in the 1960s. Dale Cooke received his bachelor's degree from Southern
Methodist University, his master's degree from the University of Arizona, and anticipates
receiving his juris doctorate degree from the Drexel University's Thomas R. Kline School of Law
in 2019. In addition, he studied health care compliance at Seton Hall University School of Law
School and epidemiology and biostatistics at Drexel University's School of Public Health.
1
Director of the Office for Civil Rights v. The University of Texas MD Anderson Cancer Center
(1 June 2018), Decision No. CR5111, 1 at 1.
2
Id.
3
Press Release, U.S. Dep't of Health & Human Servs., Judge rules in favor of OCR and
requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations (June 18,
2018), https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-
texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html.
4
Id.
5
2018 Mid-Year FDA and Health Care Compliance And Enforcement Update - Providers (July
26, 2018), Gibson Dunn, https://www.gibsondunn.com/2018-mid-year-fda-health-care-
compliance-and-enforcement-update-providers/, 15.
Page 1 of 8
This paper looks at the judgment and assesses its implications for other
providers and for possible weaknesses in the current enforcement paradigm. First, it
sets forth the relevant requirements of HIPAA and the factual background. Next, it
explains the nature of MD Anderson's violations and the judgment rendered by the ALJ.
Then, it examines the policy implications of the defenses offered by MD Anderson and
their rejection by the ALJ. Finally, the paper concludes with a look at the role the cap on
legislation.6 Because Congress failed to act, HHS established such standards via the
so-called "Privacy Rule," which was initially published in November 1999 and finalized
The Privacy Rule required "covered entities," which includes health care
6
Department of Health and Human Services, Summary of the HIPAA Privacy Rule, 1-2, May
2003, https://www.hhs.gov/sites/default/files/privacysummary.pdf (last visited Oct. 5, 2018).
7
Id. at 2.
8
Id. at 14.
9
Id. at 4.
10
45 CFR 160.103.
Page 2 of 8
FACTUAL BACKGROUND
treatment hospitals and two diagnostic imaging clinics in the Greater Houston area."11
As such, MD Anderson qualifies as a covered entity for the purposes of the HIPAA
Privacy Rule. MD Anderson had enormous amounts of ePHI regarding its patients and
was aware of its obligations under the Privacy Rule to ensure that the ePHI it
information.12 MD Anderson had a policy requiring that all ePHI was encrypted to
prevent its unintentional release.13 Despite having a policy requiring that ePHI was
and other devices that were not encrypted as of 2013.14 MD Anderson identified in its
internal annual reports of 2010 and 2011 that its failure to implement encryption on all
devices storing ePHI created a "key risk area that is not currently mitigated."15
ePHI.16 First, an unencrypted laptop that contained ePHI was stolen.17 Second, an
unencrypted universal serial bus (USB) drive containing ePHI was lost.18 Third, a
11
Department of Health and Human Services, Notice of Proposed Determination,
RE: OCR Transaction Numbers 12-145395, 12-147543, and 14-175214, Mar. 24, 2017, 2,
https://www.hhs.gov/sites/default/files/md-anderson-npd-signed.pdf (last visited Oct. 5, 2018).
12
Id. at 2-3.
13
Id. at 3.
14
Id. at 4.
15
Id. at 4 (internal quotation marks omitted).
16
Id. at 3.
17
Id.
18
Id.
Page 3 of 8
separate unencrypted USB drive with ePHI was lost.19 In total, ePHI associated with
Privacy Rule and proposed a settlement of $4.3 million in CMP.20 The settlement
proposal comprised $1.3 million for failure to encrypt its devices and $1.5 million per
year for two years for the disclosures of ePHI of more than 30,000 individuals.21
ALJ JUDGMENT
MD Anderson declined the settlement offer from OCR and requested a hearing
before an ALJ pursuant to 45 CFR 160.420(b). The ALJ upheld OCR's imposition of
$2,000 per day for violations of the Privacy Rule and agreed with OCR that the
disclosure of ePHI for more than 30,000 individuals should receive the maximum
allowable amount of $1.5 million per year in CMP.22 In reaching this judgment, the ALJ
rejected several arguments from MD Anderson that would have significantly undercut
First, MD Anderson argued that it could not be held accountable for the release
of ePHI unless there were proof that the ePHI was accessed by someone who was not
authorized for access to it.23 In essence, this argument would have required that OCR
find the thief who stole the laptop and the laptop itself and perform a forensic analysis
on the laptop to see whether the thief (or any other party) had actually accessed the
19
Id.
20
Id. at 8.
21
Id.
22
OCR v. MD Anderson, p. 1.
23
Id. at 10.
Page 4 of 8
ePHI files. Regarding the lost USB drives, again OCR would have been responsible for
finding those devices and determining who had accessed what information on them.
The ALJ rejected this argument noting that accepting these arguments would allow MD
Anderson to "literally cast ePHI to the winds and be immune from penalty so long as
OCR fails to prove that someone else received and viewed that information."24
Second, MD Anderson argued that the ePHI release should be covered by the
research exclusion to HIPAA protections.25 The ALJ notes that MD Anderson's position
would create a massive loophole such that any covered entity that had a research
division could claim that breaches of the research functions were not covered by the
Privacy Rule.26 By contrast, the actual intent of the research exemption to the Privacy
Rule was to enable entities such as MD Anderson to transmit covered ePHI to research
functions without being accused of a breach by virtue of that transfer itself. The intention
was not to say that any subsequent release by the researchers was also excused.
Third, MD Anderson argued that it should not be held accountable for the actions
of the thief who stole the laptop.27 The ALJ noted that OCR was not holding MD
Anderson responsible for the theft of the laptop.28 Instead, OCR was holding MD
Anderson accountable for the failure to encrypt the laptop.29 Had the laptop been
encrypted when it was stolen, MD Anderson might have had an adequate defense to
24
Id.
25
Id. at 11.
26
Id.
27
Id. at 12.
28
Id.
29
Id.
Page 5 of 8
Had any of these three arguments by MD Anderson succeeded, the deterrence
of the CMPs would have been essentially eliminated because the burden on OCR to
establish the violation would have been too high to effective bring future enforcement.
POLICY IMPLICATIONS
The maximum civil monetary penalties that might have been levied for the
the $2,000 per day sought by OCR, this judgment represents only four percent (4%) of
the total liability to which MD Anderson could have been subjected. As such, it is
possible to see this judgment either as historically high because it was the fourth largest
award ever or as extremely low because it could have been $100 million.
reinforcement of the concept that OCR has the authority to hold covered entities
accountable for the unintentional release of ePHI that is caused by their irresponsible
maintenance data, but that strong endorsement is tempered by the relatively low cost of
the penalties.
It is worth noting the important role that the cap on CMP is playing in both the
determination of the appropriate penalty and the total penalty assessed against MD
Anderson. HIPAA created a $1.5 million cap per year for violations of the Privacy Rule.
In 2012 (one of the years covered by the judgment), MD Anderson had $3 billion in net
patient revenue.30 Consequently, the total CMP imposed by OCR for more than two
years of violations amounted to less than 0.15% of MD Anderson's net revenue for a
30
MD Anderson, Annual Report 2011-2012, 86,
https://www.mdanderson.org/documents/publications/annual-report/Finance2012.pdf (last
visited Oct. 5, 2018).
Page 6 of 8
single year. It is unclear whether Congress or OCR envisioned the scope of the
It is safe to say that $4.3 million would seem to be a large sum absent knowledge
of the specific violations or the violator. In the abstract, such a penalty would appear to
provide adequate deterrence for covered entities to avoid breaches of ePHI. However,
given the revenues of large health care providers, it is reasonable to worry that some
health care providers might simply see potential HIPAA violations as a cost of doing
business that can easily be absorbed. Furthering this concern is not merely the paltry
sum of the penalties relative to MD Anderson's revenues but also the significant costs of
during the period when the violations occurred.31 Assuming a cost of $1,000 per
facing a cost of more than $33 million to complete the upgrade. That estimate does not
include the cost of providing additional encrypted USB drives and recalling unencrypted
devices.
Given the certainty of the cost for upgrading the entire system and the
happen, it is legitimate to wonder whether the caps on CMP are creating unwelcome
to speculate that one reason for the delay by MD Anderson in remedying the
acknowledged risk was that the high cost of compliance was deemed excessive relative
31
HHS, supra note 11, at 4.
Page 7 of 8
believed prior to this judgment that its total exposure would be $1.5 million per year, so
CONCLUSION
The ALJ's summary judgment is a significant step for OCR's ability to enforce
compliance with the HIPAA Privacy Rule's requirements. It signals to covered entities
that their delay in fully implementing steps to protect ePHI creates a nontrivial financial
liability that should provide an incentive to covered entities to ensure the protection of
ePHI. At the same time, the cap on CMPs of $1.5 million per year for individual
violations shows the limitations of the incentives. While $4.3 million is a significant
penalty, the cost of full compliance with the Privacy Rule's requirements could be even
larger. As such, there still might be some covered entities that are willing to risk a
breach and face the uncertain risk of possible penalties rather than fund the certain
Page 8 of 8