Locke Lord QuickStudy: OCR For The Win: MD Anderson HIPAA Enforcement Action

Typically, covered entities cooperate with OCR and enter into a resolution agreement that indicates the covered entities potentially violated HIPAA, sometimes with the payment of a resolution amount. In this case, however, MD Anderson refused to settle and took the position that it had not violated HIPAA because (i) the electronic protected health information (“ePHI”) was lost or stolen, and (ii) the incident occurred when its employees violated the company’s policies against storing ePHI on mobile devices and not taking ePHI offsite. The ALJ relied on uncontested evidence that established MD Anderson had an encryption policy for ePHI, but failed to implement said policy with respect to mobile devices, including laptops and USB drives. MD Anderson argued that it was not required by HIPAA to encrypt all devices and that it implemented other “mechanisms” to protect the ePHI (e.g., passwords, training). The ALJ found that was no defense and stated that “Respondent’s [MD Anderson’s] liability – and its culpability – emanates from its failure to address the risk that ePHI could be disclosed via the theft or loss of mobile devices containing such information.”

The interesting part of this case is the size of the penalties and the arguments put forward by MD Anderson regarding the statutory caps on civil monetary penalties that are permitted to be imposed under HIPAA. Unfortunately for MD Anderson, the ALJ was only delegated authority to review OCR’s imposition of penalties under the regulations with respect to reasonableness and was not permitted to declare the regulations to be beyond OCR’s authority or to declare proposed penalties to be arbitrary and unconstitutional. In the absence of an appeal, MD Anderson now owes civil money penalties of $4.3 million due to its violations of HIPAA.

You can read the ALJ’s opinion here and the OCR press release here.