OCR continues setting examples with the recent announcement of the $4,348,000 civil money penalty (CMP) that they imposed on MD Anderson. Most headlines are about that $4.3 million in penalties but to us, that is not what is the most interesting and important thing to note in this case. A review of the details shows us once again that the enforcement of HIPAA obligations is not something they decide to do in a willy-nilly way. It is specific and designed to set examples of what is expected. As we review the case, we also point out the calculations that let 3 breaches reach a total of over $4 million dollars.
In this episode:
MD Anderson Loses OCR Challenge – Ep 161
Today’s Episode is brought to you by:
Next HIPAA Boot Camp
Live in Tucker, GA
July 19 and 20th
Want to be part of Help Me With HIPAA? Donate to the cause at www.HelpMeWithHIPAA.com/give
HMWH App now has more features. You can now access a PDF with the show notes ready for your HIPAA training documentation! Find it under the bonus feature in the app for both the Apple and Android versions. It is a little gift box on the app bar.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
MD Anderson Loses OCR Challenge
The actual issues in the case go back to 2012 and 2013 when an unencrypted laptop was stolen and two unencrypted USB thumb drives were lost with a total of 34,883 patients exposed. This has been floating around out there for a while going back that far! We have seen enough of these to know they dropped the ball somewhere with policies, procedures, risk analysis or risk management to have this many of them happen over a year. You expect it to be pretty direct and easy. But, that is why we are seeing the announcement.
OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high-risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 , and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”
There we see again that David’s buddy, Roger, ain’t playin’! So, that sounds pretty straightforward when it comes to these cases. We have seen it many times in the past. What makes this one different is MD Anderson said no, it doesn’t apply to us.
MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”
BTW, dilatory means slow to act. We provide a complete education here at HMWH!
First, they claimed they weren’t obligated to encrypt and protect data about research cases. That must be another reason why there was a recent guidance paper released by OCR directly relating to what is allowed for research disclosures. Granted, it says it is for 21st Century Cures requirements but the timing seems pretty convenient. The ALJ said that the PHI involved should have been protected.
When that failed, MD Anderson then argued that the proposed penalty was unreasonable. However, it was clearly stated that the calculations reflected the amounts just as the law stated them. So, again, it seems they felt they were above the law because it is a pretty easy thing to calculate. The letter OCR sent them provided all the specifics for us to review.
Based on the above findings of fact, we have determined that MD Anderson is liable for the following violations of the HIPAA Rules and, therefore, is subject to a CMP.
- MD Anderson failed to implement access controls – encryption and decryption, or an equivalent alternative measure, as required by 45 C.F.R. § 164.312(a)(2)(iv). OCR has determined that the appropriate penalty tier for this violation is reasonable cause.
- Calendar Year 2011 – 283 days, from March 24 through December 31 (maximum penalty of $1,500,000).
- Calendar Year 2012 – 366 days, from January 1 through December 31 (maximum penalty of $1,500,000).
- Calendar Year 2013 – 25 days, from January 1 through January 25, 2013 (maximum penalty of $1,500,000).
- MD Anderson impermissibly disclosed the PHI of at least 34,883 individuals, in violation of 45 C.F.R. § 164.502(a). OCR has determined that the appropriate penalty tier for this violation is reasonable cause.
- Number of individuals whose ePHI was impermissibly disclosed in 2012 due to April 30, 2012 theft of laptop and July 13, 2012 loss of an unencrypted USB thumb drive: 31,285 (maximum penalty of $1,500,000).
- Number of individuals whose ePHI was impermissibly disclosed in 2013 due to December 2, 2013 loss of an unencrypted USB thumb drive: 3,598 (maximum penalty of $1,500,000).
When you do that math it comes out to more than $4.3 million. That means that they did take into account something. Just not as much as they had asked them to reduce the amounts.
In MD Anderson’s response to August 11, 2016, OCR’s Letter of Opportunity, it notes that the CMP should be mitigated because the alleged encryption noncompliance did not result in any known physical, financial, or reputational harm to any individuals nor did it hinder any individual’s ability to obtain health care. OCR has considered this, and as a result, concludes that, despite the fact that it could impose a penalty of up to $50,000 a day for each day that MD Anderson was out of compliance with 45 C.F.R. § 164.312(a)(2)(iv), OCR proposes that the daily penalty amount of $2,000 per day be applied for these violations that were due to reasonable cause and not willful neglect under 45 C.F.R. § 160.404(b)(2)(ii)(A), specifically the encryption violations for which MD Anderson had abundant notice given the small breaches it reported beginning in 2011.
Each factor listed below was considered an aggravating factor in determining the amount of the CMP:
- The amount of time that MD Anderson continued to use unencrypted devices even after it had actual knowledge that encryption was necessary to ensure the security of ePHI. Specifically, the evidence indicates that MD Anderson workforce members were using unencrypted devices to store ePHI as late as 2012 even after MD Anderson was on notice years earlier that its security program lacked encryption for protecting health information.
- MD Anderson’s Information Security Program and Annual Reports for calendar years 2010-2011 identified encryption of confidential data on mobile media as a key risk area that is “currently not mitigated.”
- MD Anderson’s Corporate Compliance Risk Analysis for fiscal year 2011 (September 1, 2010, through August 31, 2011) indicated the following high risk findings: a) no enterprise-wide solution in effect for encryption of Institutional laptops and mobile computing devices; b) workforce members are downloading ePHI, confidential, and restricted confidential information and other sensitive data onto portable computing devices for use outside the Institution.
- MD Anderson submitted a series of breach reports to OCR on February 23, 2012, which indicated that, on nineteen occasions in 2011, Blackberry mobile devices containing ePHI were reported as lost or stolen to the University of Texas Police Department.
Therefore, OCR proposes the penalty amount of $2,000 per day for the violations of the encryption implementation specification (45 C.F.R. § 164.312(a)(2)(iv)) that were due to reasonable cause and not willful neglect under 45 C.F.R. § 160.404(b)(2)(ii)(A). However, based on the lack of evidence of harm to affected individuals, OCR continues to use the lowest amount in the reasonable cause tier, $1,000, for purposes of calculating the penalties for the impermissible disclosures violations (45 C.F.R. § 164.502(a)).
Bottom line is they set the fine at $1,348,000 for the lack of encryption. Plus, $3,000,000 for improper disclosures.
The ALJ decision is pretty direct and to the point. There were several arguments that MD Anderson attorneys were making in the case. Things like HHS has no authority to levy fines and the limit should be $100k per year. The judge basically said you’re barking up the wrong tree. That goes to court, not an Administrative Law Judge. Take it up with someone else. The judge even goes so far as to say “This argument is a red herring.” at one point in the opinion. There were some important points in there about the MD Anderson arguments. Like this one relating to improper disclosures. They argued that there was no evidence that anyone actually viewed or obtained the PHI on the unencrypted devices. The judge had this to say about that argument:
Moreover, to interpret the regulation so narrowly as Respondent suggests would render its prohibitions against unauthorized disclosure to be meaningless. If Respondent had its way, it and other covered entities could literally cast ePHI to the winds and be immune from penalty so long as OCR fails to prove that someone else received and viewed that information.
The regulation defines disclosure as including “release” of confidential information. The word “release” has a common and ordinary meaning. “Release” means to set free from restraint, confinement, or servitude. https://www.merriamwebster.com/dictionary/release. It is the act of setting something free that constitutes a “release,” not a third party recapturing that which has been released. Thus, the regulation makes it plain that any loss of ePHI is a “release,’· and consequently, a disclosure of that information.
BAM! Then, they go on to make another point I found interesting.
The statutory authority to impose a remedy hinges on the release and not the receipt of such information, because under HIPAA the Secretary is obligated to protect ePHI and not just simply redress the consequences of unlawful disclosure.
There was a lot of that kind of smackdown language scatter around the decision document. In the end, it was clear that all their arguments were being shot down and not considered. When the amount of the penalty was being discussed this section was particularly interesting:
However, and as I have stated, the penalties that I determine to impose are but a small fraction of the maximum penalties that are permitted by regulation. Penalties of $2000 are only 1/25th of the maximum allowable amount for daily penalties. The annual penalties of $1,500,000 appear to be large but come to less than $90 for each violation committed by Respondent. The reality is that the penalties imposed in this case are quite modest given the gravity of Respondent’s noncompliance.
I note, furthermore, that the penalties are miniscule when compared with Respondent’s size and the volume of business that it does. It is a multi-billion dollar per year business. OCR Ex. 82. The sheer size of Respondent’s operations and the enormous amount of revenue that it generates, argue against reducing the penalty amounts. Remedies in this case need to be more than a pinprick in order to assure that Respondent and similarly situated entities comply with HIPAA’s non-disclosure requirements.
When you read this one it is the most heated exchange I have seen. You have to wonder what it was like behind the scenes on this one. You don’t mess with Texas vs You protect PHI.
For all of those folks who think they will be able to talk their way out of these failures, this should be a wakeup call. Yes, they may challenge it further in court but that would take years. Plus, at what point do they cut their losses on this one and move on? If a multi-billion dollar enterprise can’t maneuver their way out of a penalty like this one, how will your organization fair?
The cases that OCR has announced since December are all addressing things we have heard many times in the past. Bankruptcy, close the business, scatter a bunch of small breaches and not worry about, or argue the rules don’t apply to me have all been in recent cases. From these cases, they are certainly making it clear they do not want to play around with this stuff anymore. If you have been waiting to deal with these requirements until it really mattered, your time is running out. How much longer do you want to risk it?
Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!