HIPAA Blog

[ Saturday, January 16, 2021 ]

 

MD Anderson fought the law, and . . .

 MD Anderson actually won.  At least at the 5th Circuit.  I'll want to read the opinion before I can predict whether OCR will appeal to the Supreme Court, but I think it's likely they will.  So, keep in mind that I'm operating a little in the dark here, but would you like my initial take?  

Here's the chronology: 

Between 2011 and 2015, MD Anderson lost one laptop and two flash drives (actually, the laptop was stolen in a home burglary, and the flash drives were lost by an intern and a visiting research physician.  The media had research-related ePHI of 35,000 patients involved in Anderson's research projects.  In 2006, Anderson had adopted policies requiring encryption of ePHI, but neither the laptop nor the flash drives were encrypted.

Anderson reported the incidents in 2012 and 2013, triggering an investigation by OCR.  OCR stated that they tried to reach an informal resolution with Anderson over the course of their investigation, but were unable to do so.  I don't have any inside detail, but it sounds like Anderson might've ignored or rebuffed OCR's outreach efforts, just as Children's Medical Center in Dallas did.

Since Anderson and OCR did not reach a settlement agreement, in March 2017, OCR issued a "Notice of Proposed Determination" in which it imposed a $4,348,000 fine for multiple HIPAA violations, including failure to encrypt (encryption itself is an addressable issue, not a required one, but given Anderson's 2006 policies, they internally addressed it and determined that it was necessary).  Anderson challenged the proposed determination, which sent the matter to an Administrative Law Judge.  Anderson's defense included that encryption was not required (cf. their own policies), the information was for research so not covered by HIPAA (it's still PHI, and Anderson is still a covered entity), that no known harm was determinied to have come to any of the affected individuals (you still get a ticket even if your reckless driving doesn't cause any accidents), and that OCR lacked the authority to levy fines against state agencies (HIPAA specifically applies to Medicare and Medicaid, and OCR has fined plenty of governmental entities).  They also argued that the fines were unreasonable (now, that's an argument I can buy).  They later specifically argued that the fines violated the 8th Amendment to the Constitution, which specifically prohibits "excessive fines."

The ALJ upheld the penalty, in relatively harsh words, in June 2018. Anderson appealed inside the administrative law system, to the Departmental Appeals Board, which upheld the ALJ's award.  Anderson also appealed to federal court system, seeking a determination that OCR's fine was unreasonable and beyond the authority of OCR to impose.  In April 2019, OCR issued guidance, and a Notification of Enforcement Discretion, indicating that it now believed that lower fine limits were applicable; Anderson appealed the DAB ruling to the Fifth Circuit, adding the fine limits to its arguments against the penalty.

In the HITECH Act, Congress authorized OCR to levy higher penalties; however, as with much of the language in the shoddily-drafted and hastily passed ARRA (also known as the Stimulus Bill [or "porkulus if you're a deficit hawk], of which HITECH is a part), the penalty language is poorly drafted.  While the Omnibus Rule (passed by Obama's HHS) included adoption of the apparent new higher limits, the Notice of Enforcement Discretion (passed by Trump's HHS) finally recognized this, and instituted a tiered system of penalties, based on culpability.  While the Notice of Enforcement Discretion could be read as forward-looking only, its underlying rationale gave Anderson a good toe-hold to fight the fines against it (in my opinion, the only really good argument they had).

Ultimately, the Fifth Circuit determined that OCR's fine was "arbitrary, capricious, and contrary to law;" even OCR has acknowledged that it can no longer defend the portion of the fine in excess of $450,000, under the rationale in the Notice of Enforcement Discretion.  The court did not rule on Anderson's argument that it is not a "person" under HIPAA because it is a state agency (if the court had sided with Anderson, that would've made an appeal to the Supreme Court by OCR much more likely).

Obviously, I'll chime back in once I read the actual ruling, if that changes any of the above.


Jeff [10:27 AM]

Comments:
Actually, I understand the PHI on the laptop was encrypted at the file level. See pp. 6-7 of the 5th Circuit opinion (https://www.ca5.uscourts.gov/opinions/pub/19/19-60226-CV0.pdf). MD Anderson apparently used file-level encryption pre-2012 and transitioned to device-level encryption by the end of 2012. OCR dinged them because they had determined that device-level encryption was appropriate but had not completely implemented this due to a funding delay and the overall complexity of the process (they had issued an RFP and hired consultants but were still in rollout when the laptop was stolen). Also, from their CLO's characterization of the investigations, MD Anderson was cooperating with OCR throughout but did not agree to a settlement because the fines OCR offered were so high and MD Anderson didn't want to concede several legal points (as would be required in an OCR settlement agreement). MD Anderson asserted that the fines were not consistent with prior fines/cases, and that culpability must factor in to the caps. They won here on both points, and OCR eventually conceded this last piece - see pp. 12-13 of the 5th Circuit opinion. (Some of this info is from the CLO's presentation at the Texas Health Law Conference in 2019 - happy to send the slides to anyone who's interested.)
 
Thanks for the comment, "unknown." That's great information. I think I missed both the UT Health Law Conference and the TMA Health Law Conference in 2019.

 
(updated prior post with my name - didn't mean to be anonymous)
 
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template