Report on Patient Privacy Volume 22, Number 11. (November 2022)
Nearly five years passed from the time the University of Texas MD Anderson Cancer Center reported to the HHS Office for Civil Rights (OCR) that three breaches had occurred, until OCR—citing an inability to reach a voluntary settlement—moved to fine the Houston institution $4.348 million.
It would be another six years before a trio of Fifth Circuit Court of Appeals justices would tell OCR that its 2016 position, and previous administrative rulings upholding the fine, were “arbitrary, capricious, and otherwise unlawful.”,
MD Anderson and its attorneys were “thrilled that the Fifth Circuit agreed with our interpretation of the law,” attorney Scott McBride told RPP in a wide-ranging interview about the unique case. The litigation ended there because HHS officials didn’t appeal that January 2021 ruling, but “we would have been happy to go to the [Texas] Supreme Court if they wanted to,” said McBride, a partner in the Houston office of Morgan, Lewis & Bockius LLP.
Ultimately, MD Anderson owed the government nothing, although, of course, the case wasn’t free to pursue (more about that later). But it continues to pay dividends for other covered entities (CEs) and business associates (BAs) who now have a defined “path” to combat “overly aggressive” OCR enforcement of HIPAA regulations, said McBride.
The health care community also has MD Anderson to thank for at least a temporary tenfold reduction in civil money penalties (CMP). Just after its appeals were filed in April 2019, OCR issued a notice of enforcement discretion, acknowledging that the $1.5 million annual caps it had relied on—and which MD Anderson challenged as too high—were not appropriate under a new interpretation of the HITECH Act.
OCR set new maximums that would have reduced MD Anderson’s fine to $450,000; the agency promised to follow up with revised regulations.
Further, the circuit court reinterpreted significant issues related to encryption and impermissible disclosures, which CEs and BAs might not be aware of.
‘We Always Believed We Were Right’
Most CEs and BAs accept OCR’s penalties for alleged HIPAA violations and agree to implement corrective action plans (CAPs). A handful have not settled, but instead accepted imposition of a fine—a decision that also means no CAP, which can be a cost-saving as they are expensive to implement.
The suit involved a “handful” of attorneys on both sides, said McBride. He would not disclose how much the litigation cost MD Anderson but said it was less than the fine OCR wanted it to pay. “We always believed we were right,” said McBride when asked why MD Anderson pursued the case for nearly a decade.
McBride cautioned that, although MD Anderson was successful, following this example requires a commitment of time and resources that may extend “beyond the administrative process and into federal court.”
Nevertheless, “people should look at [appeal] options and then pursue those where they think it makes sense,” he said.
OCR Cited Encryption Failure, Disclosures
MD Anderson’s battle set it apart from other organizations facing OCR enforcement action, but the incidents that triggered the legal saga were extremely common in the 2010s. At the time there were near-daily reports of laptops and other smaller devices ubiquitous in health care getting lost or stolen and few, if any, were encrypted.
In May 2012, MD Anderson reported to OCR that a laptop was burglarized from the home of a physician who had purchased it with MD Anderson funds for teleworking; he was the director of research informatics for its Genitourinary Cancer Center. The laptop, which wasn’t encrypted nor had other safeguards, such as a password, held protected health information (PHI) for 29,021 individuals. The second incident, reported two months later, involved a summer intern in MD Anderson’s Stem Cell Transplantation and Cellular Therapy Department. The intern lost her unencrypted USB thumb drive on which she had downloaded PHI for 2,264 individuals from MD Anderson’s systems.
The following December, MD Anderson reported the loss of another privately owned, unencrypted thumb drive. This one, which had PHI for 3,598 people, had been used by a visiting researcher from Brazil who said it was missing from her desk.
Following years of investigations, OCR officials in 2018 released a notice of proposed determination letter sent to MD Anderson the previous year, which related that they “attempted to reach a resolution of the matter by informal means during the period from approximately October 28, 2015, to August 11, 2016.”
OCR said MD Anderson failed to implement encryption or an equivalent measure from March 24, 2011, until January 25, 2013, for which it assigned a “reasonable cause” penalty of $2,000 per day, for a total of $1.348 million. It then tacked on a two-year penalty for disclosure of the PHI at $1,000 per individual whose PHI was involved. OCR’s policy at the time was to cap identical penalties at $1.5 million per year regardless of how responsible the organization was.
In June 2017, MD Anderson appealed OCR’s imposition of the fine to an HHS administrative law judge (ALJ), with both sides presenting what the judge called a “blizzard of arguments and counter-arguments.” With the judge’s June 2018 ruling supporting OCR, MD Anderson appealed to the HHS Departmental Appeals Board, which, a year later, also decided the case in OCR’s favor.
But MD Anderson was undeterred and, in April 2019, took the case to both the U.S. District Court for the Southern District of Texas and the appellate court, which handles cases from Texas as well as Alabama, Florida, Georgia, Louisiana and Mississippi.
Appeal Spurred Surprise OCR Move
As noted earlier, at that point, MD Anderson won an important but interim victory: OCR, under then-Director Roger Severino, announced in the April 30, 2019, Federal Register that the agency was scrapping its penalty structure.
“Current HHS regulations apply the same cumulative annual CMP limit across four categories of violations based on the level of culpability. As a matter of enforcement discretion, and pending further rulemaking, HHS will apply a different cumulative annual CMP limit for each of the four penalties tiers in the HITECH Act,” the agency said.
The new annual penalty caps are $25,000, $100,000, $250,000 and $1.5 million, based on culpability level or violation type, which range from “no knowledge” to “willful neglect not corrected.”
The district court deferred to the appellate judges, and after almost two years, the Fifth Circuit ruled, handing MD Anderson a win on every argument it considered; it left at least one to be addressed by potential litigation in the future.
In one sense, the case ended with a bit of a whimper. HHS never alerted the attorneys that the government wasn’t going to appeal the decision—McBride said he wasn’t expecting a notification—so they were left waiting and wondering…and then the deadline to appeal passed. The case was over.
In addition to satisfaction with the overall outcome, there were “congratulations among the team for being committed to seeing it through all the way to court,” said McBride.
Basics of Battle-Readiness
McBride also shared some lessons learned from the case, and a few may run contrary to popular thought.
For example, HIPAA compliance officials, experts, attorneys and agency officials themselves always warn that one reason to follow the rules is the reputational damage that can result if OCR brings an enforcement action—which it always publicizes. But McBride said he did not think the case “impacted [MD Anderson] negatively.”
He repeated that MD Anderson’s “mission is to cure cancer, and that’s what they stay focused on.” Each time OCR announced a development in the case, MD Anderson was ready with a public response.
McBride said a few news articles “here or there [were] critical” of the case, “but, at the end of the day, oftentimes those [authors] didn’t understand the full facts or the issues that we were appealing to try to get some resolution and some answers [to], not just for MD Anderson, but really for all the health care providers across the nation” who are regulated by OCR.
The litigation also kicked up a number of inquiries by other governmental and oversight bodies, McBride added.
“When the decisions came out through the administrative process and the OCR would issue press releases related to the ALJ decisions, which were negative, MD Anderson would receive inquiries from different agencies and bodies such as the [Better Business Bureau] BBB and the Joint Commission, and there would be news articles,” said McBride. Organizations in similar situations “have to be aware that throughout the process there can be inquiries…and they need to be prepared to respond to those.”
For MD Anderson, the strategy was to “explain what their position is and that they [were] still pursuing the case…and they look forward to pursuing it [further in] court,” McBride said.
Act Expeditiously on Identified Risks
McBride also learned through the case that OCR will use an organization’s documents against it, so officials must be thoughtful when drafting compliance plans, remediation efforts and other compliance steps.
There’s no getting around the fact that entities have to respond to OCR’s document requests—that’s usually the first step in an OCR investigation. According to McBride, from 2013 to 2017, attorneys and the organization responded to 65 documentation requests, produced 528 exhibits, “hundreds” of pages of written responses and 4,629 pages of exhibits.
McBride explained that if the organization indicated it had ongoing efforts or was proposing policies or actions to address privacy and security, “OCR would use that information against the provider if the provider didn’t act quickly enough on it” in the agency’s view.
If a risk is identified during an assessment, “you would need to move forward quickly to remedy that and address it,” he said, adding, “how quickly the OCR thinks something should be done, versus how quickly an institution may be able to do something, may not always be the same.”
The case also showed McBride not to expect much from the government during discovery.
“There’s really not a whole lot more that comes from the government in these cases other than what the institution has and what the institution may have produced to the government through the investigation phase,” McBride said.
MD Anderson: ‘Self-CAP’ Was Sufficient
This reinforces his earlier point that, when responding to OCR, “fully explain the compliance activity, when you implemented it, the process…over time. That will help the OCR understand exactly what the organization has done and, hopefully, show that they’ve met the requirements under the regulation and be able to avoid allegations that you violated some sort of regulatory provision,” he said.
Regardless, CEs and BAs should know that OCR may still be unimpressed and insist on a CAP, McBride said. This was another sticking point that prevented MD Anderson from settling with OCR.
“Most entities…take compliance seriously” and will prospectively initiate their own corrective actions to address issues that arise, McBride said. “In this case, we felt like MD Anderson had all of the necessary compliance measures in place,” but OCR “did not seem to be willing to accept that, what we called a self-imposed CAP.”
Making the Ruling Stick Nationwide
OCR has work to do related to the case, including keeping Severino’s promise to formalize the notice of enforcement discretion via revised regulations, but now its direction seems unclear. It also recently saw turnover at the top, with Lisa Pino leaving as director after only 10 months. Her successor, Melanie Fontes Rainer, was sworn in Sept. 14.
The agency “should update the regulations to make them consistent” with the penalty notice, McBride said. “That’s why it was important to have the decision from the Fifth Circuit Court of Appeals confirm that the proper interpretation of the regulations is at the amounts that are set out in the notice of enforcement discretion, as opposed to what’s in the regulation.”
The Fifth Circuit ruling is technically applicable only in that circuit, but McBride said he can’t envision OCR undertaking actions the justices found illegal.
However, regarding lowered penalties, OCR recently signaled that it would take the opposite course if it can get Congress’ blessing.
In HHS’ legislative request in its fiscal year (FY) 2023 budget, OCR proposed “an increase in the amount of civil money penalties that can be imposed in a calendar year for HIPAA noncompliance,” arguing “higher annual caps would increase OCR’s ability to vigorously enforce the HIPAA Rules, create a greater incentive to comply with the health information privacy laws, and effectuate greater industry compliance.”
OCR added that, in its “experience, the current limits on civil money penalties do not create a sufficient deterrent to industry noncompliance.” It did not detail what it thought the penalties should be.
FY 2023 began Oct. 1 and goes until Sept. 30, 2023, but Congress has provided funding through a continuing resolution that expires Dec. 16; it did not address OCR’s requests. Congress will have another opportunity to do so with the next appropriations legislation.
Fines Are Already ‘Plenty High’
McBride isn’t supportive of this proposal and wasn’t aware of it until RPP brought it to his attention.
This “could explain why they haven’t gone back and tried to fix the regulations if they’re really going to push to change the statute first” to increase the penalties, he said.
Asked if an increase would be a mistake, McBride responded that he believes the fines—even as reduced by the court and notice of discretion—“are plenty high” already.
“I’d like to know how they’re using the fines to support patients…individuals whose PHI has been affected” by a HIPAA violation, said McBride, “and why they think they are insufficient.”
McBride suggested that OCR keep its focus on developing the regulation to share fines—as Congress required in 2009—rather than launching an effort to increase them.
In April, OCR published a request for information to gather data for such a regulation, as well as provide input on recognized security practices it is now required by law to consider in enforcement proceedings.
McBride said that, even in the absence of updated regulations, “providers can still point to the notice of enforcement discretion and the case and say, ‘This is the correct way.’”
[View source.]