Since finalizing the HIPAA Privacy and Security Rules in 2003, the Office for Civil Rights (“OCR”) has looked into more than a quarter-million HIPAA complaints and launched more than 1,000 compliance reviews. OCR has resolved approximately 90% of these cases. In 46,558 cases, OCR intervened early and provided technical assistance without the need for a formal investigation. In over 28,654 other cases, OCR required changes in privacy practices and corrective actions by or provided technical assistance to HIPAA covered entities and their business associates.
Over the last few years, we have seen an increase in the volume of completed investigations and increased financial penalties. So far, of the 97 cases that included a monetary settlement or OCR imposed a civil penalty, the total penalties exceed more than $135 million-$135,058,482 to be exact.
Among these civil penalties is a case that’s been back in the headlines recently, involving the University of Texas MD Anderson Cancer Center. What makes this case of interest to healthcare covered entities and business associates is that while OCR levied penalties on the organization totaling $4.3 million, the U.S. Court of Appeals vacated that fine.
Let’s take a closer look at what happened with MD Anderson, OCR, the court cases, and what we can learn from this to help better prepare your organization for potential interactions with OCR now and in the future.
Since the Enforcement Final Rule in 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules.
The HIPAA Omnibus Rule in 2013 updated the financial penalties for HIPAA violations. The penalty structure for a violation of HIPAA laws is now tiered, based on the knowledge a covered entity had of the violation. The levels of culpability associated with each Tier are as follows:
- Tier 1: Covered entity was unaware of the violation, could not realistically have avoided it, and had taken a reasonable amount of care to meet HIPAA Rules.
- Tier 2: Covered entity should have been aware of the violation but could not be avoided, even with a reasonable amount of care.
- Tier 3: Covered entity demonstrates willful neglect where an attempt was made to address the violation.
- Tier 4: Covered entity demonstrates willful neglect and did not attempt to correct the issue.
The civil monetary penalties (“CMP”) associated with each Tier and established under HITECH Act and as interpreted by OCR at time of MD Anderson CMP:
| Tier | Minimum CMP Per Violation | Maximum Annual CMP Identical Violations | Maximum CMP per Violation | Annual Limit Identical Violations |
|---|---|---|---|---|
| 1 | $100 | $25,000 | $50,000 | $1,500,000 |
| 2 | $1,000 | $100,000 | $50,000 | $1,500,000 |
| 3 | $10,000 | $250,000 | $50,000 | $1,500,000 |
| 4 | $50,000 | $1,500,000 | No maximum specified | No maximum specified |
While MD Anderson was pending, OCR issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties. With this Notice, OCR changed its interpretation of the cumulative annual CMP limit. Instead of a $1.5 M CMP regardless of Tier, the new understanding set the annual CMP limit as the Maximum Annual CAP or $25K, $100k, $250K, and $1.5M, respectively.
In addition to culpability, OCR considers several “general factors” and the seriousness of the HIPAA violation when deciding on monetary penalties.
Since the Omnibus Rule’s introduction, all covered entities and business associates (B.A.s) of covered entities are subject to potential financial penalties for violations of the HIPAA Rules.
In cases where OCR imposed monetary penalties, an affected entity can request a hearing with an HHS administrative law judge to determine if evidence from the investigation supports the imposed penalties.What happened with MD Anderson?
MD Anderson had three separate breaches during 2012-2013. Each related to stolen or lost unencrypted devices, specifically a laptop and two unencrypted thumb drives. The laptop reportedly contained ePHI of almost 30,000 patients, while one thumb drive had more than 2,000 and the other more than 3,500 records.
During the investigation, OCR discovered that MD Anderson had encryption requirements in place as far back as 2007 but determined the center had not implemented an enterprise-wide solution for ePHI encryption until 2011. Further, it determined that MD Anderson had failed to encrypt all of its electronic devices that could access ePHI from 2011 until early 2013.
The laptop breach occurred in April 2012. The first thumb drive breach occurred in July 2012, and the second thumb drive breach was in December 2013. By January 2013, according to the OCR report, MD Anderson had encrypted 98% of its managed computer inventory, accounting for more than 33,000 computers.
Additional review of MD Anderson’s practices revealed that the organization had undergone several third-party assessments, which recommended device encryption. MD Anderson took steps to encrypt these devices; however, OCR raised questions about these efforts’ timeliness and seriousness.OCR determination
The OCR investigation determined that there were two HIPAA Rules violations:
- Failure to implement encryption or adopt an equivalent measure to limit ePHI access
- Unauthorized ePHI disclosure
OCR reported it had attempted resolution with MD Anderson between October 2015 and August 2016, but in August 2016 sent a Letter of Opportunity (L.O.) indicating MD Anderson had failed to comply with Privacy and Security Rules.
According to OCR, MD Anderson responded to the L.O. asking that OCR reduce the penalties. MD Anderson’s basis for this request was that “the alleged encryption noncompliance did not result in any known physical, financial, or reputational harm to any individuals nor did it hinder an individual’s ability to obtain health care.”
In 2017, OCR responded by imposing a range of penalties per violation, which in the end totaled $4,348,000 for violations related to access controls (encryption and decryption: $1.348 million) and impermissible disclosures ($3 million). You can see a breakdown of those penalties in the OCR report.
While entities have the right to a hearing before an administrative law judge to challenge the fines, few previously pursued this avenue; however, MD Anderson chose to do so.
In June 2018, an administrative law judge ruled in favor of OCR, upholding the $4.3 million in penalties.
MD Anderson then appealed to the United States Court of Appeals for the Fifth Circuit. In January 2021, the Court of Appeals vacated the June 2018 ruling, saying OCR’s actions were “arbitrary, capricious, and unlawful.”
According to the National Law Review, there were four primary findings by the Court upon which it based its Ruling:
- MD Anderson had implemented various encryption mechanisms to protect ePHI, and the Security Rule “does not require a covered entity to warrant that its mechanism provides bulletproof protection of all systems containing ePHI.”
- MD Anderson didn’t affirmatively act to disclose PHI, and OCR could not prove that anyone outside of the entity accessed the information
- OCR had not imposed penalties against other entities for similar violations as those alleged by MD Anderson
- The penalty contradicts the HIPAA Enforcement Rule, which would cap reasonable cause at $100,000 per year
Looking Forward
It is not yet clear how this Ruling will impact OCR enforcement. Some legal commentators speculate that the Court’s opinion could mark a significant reduction in the authority and discretion of OCR and tip the balance in favor of covered entities and business associates. Others postulate that OCR might respond by moving more quickly to resolve cases with more frequent consistent lower dollar penalties instead of spending so much time attempting to help organizations come into compliance through technical direction.
Will this Ruling empower organizations to fight OCR enforcement penalties more aggressively? Will OCR spend less time on technical direction and more quickly move to impose civil monetary penalties, but the penalties will be smaller? Only time will tell.
In the interim, you can help prepare and protect your organization by conducting a risk and compliance review. With these evaluations, you can find out if you are meeting all of your HIPAA and other compliance mandates and make plans to remediate gaps before you experience a breach and have to face OCR scrutiny. These reviews can help you determine where you have exposures so you can mitigate and manage issues to decrease your risk of a breach.
Please reach out with your comments and questions at jon.moore@clearwatercompliance.com.
