OCR For The Win: MD Anderson HIPAA Enforcement Action

Locke Lord LLP

Locke Lord LLP

Once again, an Administrative Law Judge (“ALJ”) upheld the imposition of civil money penalties charged against a covered entity by the Office for Civil Rights of the Department of Health and Human Services (“OCR”) for violations of the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). And this time, the penalties are substantial ($4.3 million).

Typically, covered entities cooperate with OCR and enter into a resolution agreement that indicates the covered entities potentially violated HIPAA, sometimes with the payment of a resolution amount. In this case, however, MD Anderson refused to settle and took the position that it had not violated HIPAA because (i) the electronic protected health information (“ePHI”) was lost or stolen, and (ii) the incident occurred when its employees violated the company’s policies against storing ePHI on mobile devices and not taking ePHI offsite. The ALJ relied on uncontested evidence that established MD Anderson had an encryption policy for ePHI, but failed to implement said policy with respect to mobile devices, including laptops and USB drives. MD Anderson argued that it was not required by HIPAA to encrypt all devices and that it implemented other “mechanisms” to protect the ePHI (e.g., passwords, training). The ALJ found that was no defense and stated that “Respondent’s [MD Anderson’s] liability – and its culpability – emanates from its failure to address the risk that ePHI could be disclosed via the theft or loss of mobile devices containing such information.”

The interesting part of this case is the size of the penalties and the arguments put forward by MD Anderson regarding the statutory caps on civil monetary penalties that are permitted to be imposed under HIPAA. Unfortunately for MD Anderson, the ALJ was only delegated authority to review OCR’s imposition of penalties under the regulations with respect to reasonableness and was not permitted to declare the regulations to be beyond OCR’s authority or to declare proposed penalties to be arbitrary and unconstitutional. In the absence of an appeal, MD Anderson now owes civil money penalties of $4.3 million due to its violations of HIPAA.

You can read the ALJ’s opinion here and the OCR press release here.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.