MD Anderson Cancer Center is seeking an injunction in order to avoid paying the fourth-largest civil monetary penalty ever assessed—$4.3 million—for violating the HIPAA Security Rule.
The fine was originally levied against MD Anderson by the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted USB thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals, according to a HHS press release. MD Anderson initially contested the penalty in an appeal to an HHS administrative law judge who sided with OCR and ruled that MD Anderson must pay the penalty. Now the cancer center has filed a complaint with the US Court of Appeals, Fifth Circuit in Texas.
MD Anderson is basing its appeal on several claims, arguing that the $4.3 million penalty is excessive and is in violation of the eighth amendment to the Constitution, exceeding HIPAA’s statutory caps. It also argues that HIPAA penalties can only be issued to persons. Further, the cancer center says HIPAA law defines persons as an individual, a trust or estate, a partnership, or a corporation. Because MD Anderson is part of the University of Texas Health System, it argues, it cannot be considered a “person” under HIPAA law, according to its complaint.
One of the factors in OCR’s penalty is the fact that none of the three stolen devices were encrypted because, MD Anderson claims, encryption is “optional” under HIPAA.
Some HIPAA security experts, such as David Holtzman of security consultancy CynergisTek, are skeptical of the cancer center’s legal arguments and predict they won’t succeed.
“The definition that MD Anderson is calling into question was amended to ensure that all of the HIPAA administrative simplification provisions applied equally to all healthcare organizations, public or private,” Holtzman told HealthcareInfoSecurity.
He adds that Congress’ purpose in enacting the HIPAA provisions would have been stymied had the definition of “person” not been sufficiently broad to encompass all the entities that are covered entities or business associates.
Additionally, MD Anderson argues that that it’s exempt from encryption rules because the ePHI involved was being used for research purposes.
According to the Houston Chronicle, HHS’s administrative law judge, Steven. T. Kessel, found MD Anderson’s slow implementation of security measures “shocking” and rejected the provider’s legal reasonings provided above.