MD Anderson Won Against OCR, But Agency’s Response—Including on Fines—Keeps Evolving

By Theresa Defino

Nearly five years passed from the time the University of Texas MD Anderson Cancer Center reported to the HHS Office for Civil Rights (OCR) that three breaches had occurred, until OCR—citing an inability to reach a voluntary settlement—moved to fine the Houston institution $4.348 million.

It would be another six years before a trio of Fifth Circuit Court of Appeals justices would tell OCR that its 2016 position, and previous administrative rulings upholding the fine, were “arbitrary, capricious, and otherwise unlawful.”[1],[2]

MD Anderson and its attorneys were “thrilled that the Fifth Circuit agreed with our interpretation of the law,” attorney Scott McBride told RPP in a wide-ranging interview about the unique case. The litigation ended there because HHS officials didn’t appeal that January 2021 ruling, but “we would have been happy to go to the Supreme Court if they wanted to,” said McBride, a partner in the Houston office of Morgan, Lewis & Bockius LLP.

Ultimately, MD Anderson owed the government nothing, although, of course, the case wasn’t free to pursue (more about that later). But it continues to pay dividends for other covered entities (CEs) and business associates (BAs) who now have a defined “path” to combat “overly aggressive” OCR enforcement of HIPAA regulations, said McBride.

The health care community also has MD Anderson to thank for at least a temporary tenfold reduction in civil money penalties (CMP). Just after its appeals were filed in April 2019, OCR issued a notice of enforcement discretion, acknowledging that the $1.5 million annual caps it had relied on—and which MD Anderson challenged as too high—were not appropriate under a new interpretation of the HITECH Act.[3]

OCR set new maximums that would have reduced MD Anderson’s fine to $450,000; the agency promised to follow up with revised regulations.

Further, the circuit court reinterpreted significant issues related to encryption and impermissible disclosures, which CEs and BAs might not be aware of.

‘We Always Believed We Were Right’

Most CEs and BAs accept OCR’s penalties for alleged HIPAA violations and agree to implement corrective action plans (CAPs). A handful have not settled, but instead accepted imposition of a fine—a decision that also means no CAP, which can be a cost-saving as they are expensive to implement.

The suit involved a “handful” of attorneys on both sides, said McBride. He would not disclose how much the litigation cost MD Anderson but said it was less than the fine OCR wanted it to pay. “We always believed we were right,” said McBride when asked why MD Anderson pursued the case for nearly a decade.

McBride cautioned that, although MD Anderson was successful, following this example requires a commitment of time and resources that may extend “beyond the administrative process and into federal court.”

Nevertheless, “people should look at [appeal] options and then pursue those where they think it makes sense,” he said.

This document is only available to subscribers. Please log in or purchase access
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings