[BreachExchange] MD Anderson Cancer Center Appeals $4.3 Million HIPAA Fine

[Destry Winant]

https://www.databreachtoday.com/md-anderson-cancer-center-appeals-43-million-hipaa-fine-a-12371

The University of Texas MD Anderson Cancer Center has filed a lawsuit
arguing that a $4.3 million HIPAA penalty levied against it last year
by the Department of Health and Human Services following three data
breaches involving unencrypted devices was unlawful.

In the complaint filed Tuesday in a Texas federal court, MD Anderson
argues that HHS, as a federal agency, does not have the authority to
impose the civil monetary penalty against the cancer center because MD
Anderson, which is part of the University of Texas, is a "state
agency."

MD Anderson also argues that HHS exceeded its authority by imposing a
civil monetary penalty "beyond the statutory caps" under HIPAA, and
also exceeded its authority by imposing an "excessive" penalty in
violation of the eighth amendment to the Constitution.

The healthcare provider is seeking a permanent injunction prohibiting
HHS from attempting to enforce or collect the penalty imposed against
MD Anderson as well as to recover its costs associated with the
lawsuit.

Last June, an HHS administrative law judge granted a summary judgment
to the HHS Office for Civil Rights, ruling that MD Anderson violated
the HIPAA privacy and security rules. The judge approved OCR imposing
a $4.3 million penalty in the aftermath of its investigations into
three breaches involving unencrypted devices.

'State Agency'

In the first of three counts laid out in the complaint, MD Anderson
alleges that in issuing the penalty, OCR claimed authority under HIPAA
that only authorizes the issuance of a CMP against a "person," and
that the statutory definition of "person" means an individual, a trust
or estate, a partnership, or a corporation.

"The definition of 'person' in HIPAA excludes the states and state
agencies," the complaint argues.

In the second and third counts of the complaint, MD Anderson argues
that the amount of the civil monetary penalty not only exceeds HHS's
authority under HIPAA's statutory caps but also violates the eighth
amendment.

"Despite the statutory cap of $100,000 per calendar year for
'reasonable cause' violations, the HHS secretary ordered that MD
Anderson pay a CMP totaling $4,348,000 for the alleged violations, an
amount almost 10 times more than the statutory caps," MD Anderson
argues.

The cancer center also states: "The excessive fines clause [of the
eight amendment] ... limits the government's power to extract
payments, whether in cash or in kind, as punishment for some offense."

Encryption Optional?

In its complaint, MD Anderson argues that HHS levied the penalty
against the healthcare provider for "alleged violations of an optional
encryption standard; the theft of a laptop in a home burglary; and the
loss of two USB drives" - all of which MD Anderson reported to OCR.

"Following each instance, there has been no evidence that any
information from the devices was ever accessed or disclosed, and no
individuals whose information was contained on the devices has been
harmed by the theft or loss of the of the devices," MD Anderson
states.

During the time of the alleged HIPAA violations, MD Anderson contends,
it had "appropriate policies in place and pursued encryption efforts
in light of available technologies and considerations for
uninterrupted, critical patient care," the complaint notes.

The employees involved in the loss or theft of the devices "acted
contrary to MD Anderson policies, training and compliance efforts, as
well as ignored or refused to take advantage of the encryption
technologies MD Anderson made available to them," the complaint says.

MD Anderson argues that its "self-reported losses of three pieces of
equipment out of tens of thousands of devices by three employees out
of more than 21,000 over a two-year period cannot objectively be
viewed as warranting the highest level of CMP allowable by law for any
HIPAA offense under any level of culpability."

Statement from MD Anderson

In a statement provided to Information Security Media Group, MD
Anderson says: "Throughout this legal process, MD Anderson has
committed to bringing this matter to federal court given its status as
a state institution and the failure of the administrative judges to
consider all of MD Anderson's legal arguments. Additionally, given the
circumstances of the incidents, we believe the penalties are
inappropriate and excessive.

"Regardless of the final decision, MD Anderson hopes this process
brings transparency, accountability and consistency to the OCR's
enforcement process. The institution remains committed to safely
protecting patient information."

OCR did not immediately respond to ISMG's request for comment.

Analysis of Legal Argument

The argument that MD Anderson makes in claiming that HHS has no
authority to impose a HIPAA penalty on the healthcare provider because
it is a state agency is "creative" but will ultimately fail, predicts
privacy attorney David Holtzman of security consultancy CynergisTek.

"The definition that MD Anderson is calling into question was amended
to ensure that all of the HIPAA administrative simplification
provisions applied equally to all healthcare organizations, public or
private," he says. Congress' purpose in enacting the HIPAA provisions
would have been stymied had the definition of "person" not been
sufficiently broad to encompass all the entities that are covered
entities or business associates, he adds.

Holtzman also does not buy MD Anderson's argument that because
encryption is "addressable" under HIPAA it is therefore "optional."

"It is well understood that the HIPAA Security Rule's 'addressable'
implementation specifications are not optional," he says.

Under HIPAA, covered entities and business associates are allowed
flexibility in "addressing" certain specifications, such as
encryption, if they can demonstrate through an information security
risk analysis that an alternative approach is equally effective in
safeguarding PHI, Holtzman explains.

Reacting to MD Anderson's argument that the penalty amounts levied are
excessive, Holtzman says: "OCR alleged that MD Anderson had
long-standing, systemic failures to put into place reasonable
information security practices, which were the root cause of repeated
incidents that resulted in the unauthorized disclosures of e-PHI."

Rare Moves

OCR generally imposes a civil monetary penalty only in those HIPAA
cases that involve a lack of cooperation with investigators or the
failure to take recommended steps to correct security deficiencies. An
organization has the right to appeal the penalties to an
administrative law judge.

MD Anderson in its complaint notes that OCR in March 2017 notified the
Houston-based healthcare provider that it was seeking to impose a
civil monetary penalty. The cancer center then objected to OCR's
authority to impose the penalty and appealed to an HHS administrative
law judge, which ultimately ruled in favor of OCR. MD Anderson then
appealed the HHS administrative law judge's decision to HHS'
Departmental Appeals Board, which also refused to consider certain MD
Anderson arguments and defenses, the complaint notes.

Aside from the MD Anderson case, OCR has issued civil monetary
penalties in just three other previous cases, but has so far only
collected in two of those cases.

The HIPAA enforcer issued its first civil monetary penalty back in
2011 against Cignet Healthfor violations of the HIPAA Privacy Rule.
OCR officials say Cignet filed for bankruptcy and did not end up
paying the $4.3 million penalty.

OCR collected a a $3.2 million civil monetary penalty in 2017 against
Children's Medical Center of Dallas and a $240,000 penalty in 2016
against Lincare Inc.

"There have been a number of resolution agreements settling claims
that public entities and institutions operating healthcare facilities
have failed to comply with the HIPAA rules," says Holtzman, a former
adviser at OCR .

"It is disturbing that MD Anderson continues to place its attention
and efforts into fighting the adoption of industry accepted best
practices. One has to wonder if the citizens of Texas, and the
patients of this health center, are being well served through this
adversarial approach that does nothing to further the protection of
their sensitive information from unauthorized disclosures."