Printer Friendly, PDF & Email

Should ‘State’ Agencies Be Exempt From HIPAA? MD Anderson Says Yes

After failing to convince HHS administrative law judges (ALJs) that research data doesn’t have to be protected under HIPAA, the University of Texas MD Anderson Cancer Center has filed its third appeal to try to keep from paying $4.358 million for breaches in 2012 and 2013 that collectively exposed information about approximately 35,000 individuals.

In early April, MD Anderson filed suit against HHS Secretary Alex Azar in the U.S. District Court for the Southern District of Texas; this time it is arguing that the Office for Civil Rights (OCR) lacks the authority under HIPAA to fine MD Anderson because it is a type of state agency and that the fines imposed are excessive. Both arguments were also advanced at the ALJ level, but those judges said they did not have the jurisdiction to address them.

HHS has not yet filed its response. But to its argument that OCR exceeded allowable fines, MD Anderson seems already to have won. Just a few weeks after its suit was filed, OCR announced it would no longer apply an across-the-board annual maximum of $1.5 million, regardless of the severity of the violation. If the new fines are applied to MD Anderson, it would signal a big win for it.

This document is only available to subscribers. Please log in or purchase access.