MD Anderson Cancer Center Seeks Injunction Against $4.3 Million HIPAA Fine

MD Anderson Cancer Center Seeks Injunction Against $4.3 Million HIPAA Fine

MD Anderson Cancer Center is seeking an injunction in order to avoid paying the fourth-largest civil monetary penalty ever assessed—$4.3 million—for violating the HIPAA Security Rule.

The fine was originally levied against MD Anderson by the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted USB thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals, according to a HHS press release. MD Anderson initially contested the penalty in an appeal to an HHS administrative law judge who sided with OCR and ruled that MD Anderson must pay the penalty. Now the cancer center has filed a complaint with the US Court of Appeals, Fifth Circuit in Texas.

MD Anderson is basing its appeal on several claims, arguing that the $4.3 million penalty is excessive and is in violation of the eighth amendment to the Constitution, exceeding HIPAA’s statutory caps. It also argues that HIPAA penalties can only be issued to persons. Further, the cancer center says HIPAA law defines persons as an individual, a trust or estate, a partnership, or a corporation. Because MD Anderson is part of the University of Texas Health System, it argues, it cannot be considered a “person” under HIPAA law, according to its complaint.

One of the factors in OCR’s penalty is the fact that none of the three stolen devices were encrypted because, MD Anderson claims, encryption is “optional” under HIPAA.

Some HIPAA security experts, such as David Holtzman of security consultancy CynergisTek, are skeptical of the cancer center’s legal arguments and predict they won’t succeed.

“The definition that MD Anderson is calling into question was amended to ensure that all of the HIPAA administrative simplification provisions applied equally to all healthcare organizations, public or private,” Holtzman told HealthcareInfoSecurity.

He adds that Congress’ purpose in enacting the HIPAA provisions would have been stymied had the definition of “person” not been sufficiently broad to encompass all the entities that are covered entities or business associates.

Additionally, MD Anderson argues that that it’s exempt from encryption rules because the ePHI involved was being used for research purposes.

According to the Houston Chronicle, HHS’s administrative law judge, Steven. T. Kessel, found MD Anderson’s slow implementation of security measures “shocking” and rejected the provider’s legal reasonings provided above.

Mary Butler is associate editor at Journal of AHIMA.
Leave a comment


  1. I’m a registered Health Information Technician of 52 years, working in acute care facility. I think it’s rather arrogant of MD Anderson Cancer Center to believe they can exempt themselves from the responsibility of health information records that they are caretakers of, entrusted with their protection. HIPPA has existed for some time now and as the importance of protecting patient records has progressed any health care facility should take a very responsible attitude to protect the patient information they govern and maintain. There’s no excuse. No industry can plead ignorance of the facts. Within at least the recent 10-15 years in particular, the knowledge of encryption of stored information, the ease and ability of entities to hack into company/industry computer programs and the low life that will do this has been in the forefront to electronic health care record storage. And it’s STILL the hot topic at this time. Of course, to let medical staff or other institution employees “store” patient health records on a stick or in their laptops is careless to say the least, let alone to store it without encryption – it’s asking for trouble, like an “I dare you.” Hackers are very clever in breaking into programs, and sadly, with no good intentions of how they will use or ransom the data. The amount Anderson Cancer Center is being sued for seems extremely high, but then again the center has already misappropriate very important and personal information at least three times – that we know of.

  2. indeed I am a cancer survivor, but not at this facility but still it makes me feel uneasy what’s going on . I hope they pay the fine, and not fight it because fighting it implies that they have something to hide. I know people receiving treatments and have no complaints but still protecting patients information should be equally important as the medical care.

  3. Encryption on some other process like de-identification should be in place when it comes to PHI. If they didn’t know this, they certainly should have. This is the classic example of getting a speeding ticket then saying you didn’t see the speed limit sign. You still have to pay the ticket.

Send a Comment

Your email address will not be published. Required fields are marked *