After failing to convince HHS administrative law judges (ALJs) that research data doesn’t have to be protected under HIPAA, the University of Texas MD Anderson Cancer Center has filed its third appeal to try to keep from paying $4.358 million for breaches in 2012 and 2013 that collectively exposed information about approximately 35,000 individuals.
In early April, MD Anderson filed suit against HHS Secretary Alex Azar in the U.S. District Court for the Southern District of Texas. This time it is arguing that the Office for Civil Rights (OCR) lacks the authority under HIPAA to fine MD Anderson because it is a type of state agency and that the fines imposed are excessive. Both arguments were also advanced at the ALJ level but those judges said they did not have the jurisdiction to address them.
Typically, OCR is able to reach settlement agreements with organizations it believes have violated the privacy, security or breach notification regulations under HIPAA. OCR tried from October 2015 to August 2016 to do so, but MD Anderson refused and in March 2017, OCR ended negotiations and moved to collect payment. MD Anderson then appealed to an ALJ, making the research argument, contending also that the data had not come to any harm or misuse, and that encryption was an “optional standard.” It raised other arguments, mounting what ALJ Judge Steven T. Kessel termed a “blizzard of arguments and counter-arguments.”