By Theresa Defino
Nearly five years passed from the time the University of Texas MD Anderson Cancer Center reported to the HHS Office for Civil Rights (OCR) that three breaches had occurred, until OCR—citing an inability to reach a voluntary settlement—moved to fine the Houston institution $4.348 million.
It would be another six years before a trio of Fifth Circuit Court of Appeals justices would tell OCR that its 2016 position, and previous administrative rulings upholding the fine, were “arbitrary, capricious, and otherwise unlawful.”[1],[2]
MD Anderson and its attorneys were “thrilled that the Fifth Circuit agreed with our interpretation of the law,” attorney Scott McBride told RPP in a wide-ranging interview about the unique case. The litigation ended there because HHS officials didn’t appeal that January 2021 ruling, but “we would have been happy to go to the Supreme Court if they wanted to,” said McBride, a partner in the Houston office of Morgan, Lewis & Bockius LLP.
Ultimately, MD Anderson owed the government nothing, although, of course, the case wasn’t free to pursue (more about that later). But it continues to pay dividends for other covered entities (CEs) and business associates (BAs) who now have a defined “path” to combat “overly aggressive” OCR enforcement of HIPAA regulations, said McBride.
The health care community also has MD Anderson to thank for at least a temporary tenfold reduction in civil money penalties (CMP). Just after its appeals were filed in April 2019, OCR issued a notice of enforcement discretion, acknowledging that the $1.5 million annual caps it had relied on—and which MD Anderson challenged as too high—were not appropriate under a new interpretation of the HITECH Act.[3]
OCR set new maximums that would have reduced MD Anderson’s fine to $450,000; the agency promised to follow up with revised regulations.
Further, the circuit court reinterpreted significant issues related to encryption and impermissible disclosures, which CEs and BAs might not be aware of.
‘We Always Believed We Were Right’
Most CEs and BAs accept OCR’s penalties for alleged HIPAA violations and agree to implement corrective action plans (CAPs). A handful have not settled, but instead accepted imposition of a fine—a decision that also means no CAP, which can be a cost-saving as they are expensive to implement.
The suit involved a “handful” of attorneys on both sides, said McBride. He would not disclose how much the litigation cost MD Anderson but said it was less than the fine OCR wanted it to pay. “We always believed we were right,” said McBride when asked why MD Anderson pursued the case for nearly a decade.
McBride cautioned that, although MD Anderson was successful, following this example requires a commitment of time and resources that may extend “beyond the administrative process and into federal court.”
Nevertheless, “people should look at [appeal] options and then pursue those where they think it makes sense,” he said.