Landmark HIPAA Ruling Reversal Sets the Stage for New O.C.R. Penalty Challenges

What the $4.3 Million Penalty Reversal Means for Texas Practice Administrators

A recent landmark case against University of Texas M.D. Anderson Cancer Center that would have cost the center $4.3 million in civil monetary penalties has been overturned, setting the stage for other challenges to penalties received from the Department of Health and Human Services’ Office for Civil Rights (OCR).

This ends a years-long legal battle between the OCR and MD Anderson, which suffered three data breaches in 2012 and 2013 that led to the unauthorized disclosure of protected health information (“PHI”) belonging to around 35,000 patients. 

The original ruling stated that MD Anderson had failed to implement a mechanism to encrypt electronic PHI (“ePHI”), and had improperly disclosed PHI in violation of the HIPAA Privacy Rule. 

But according to the recent reversal from the United States Court of Appeals Fifth Circuit:

  • MD Anderson had implemented multiple safeguards to encrypt and protect ePHI, and that the plain text of the Security Rule doesn’t require that an entity guarantee these safeguards provide “bulletproof protection” of all systems containing ePHI.
  • Since the HIPAA Security Rule defines a disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information,” MD Anderson could not be held responsible as the cancer center did not affirmatively act to disclose PHI, nor could OCR did not prove that someone outside the entity received the information.
  • The penalty itself exceeded the maximum annual penalties based on the HIPAA Security Rule, which “limits all penalties within a calendar year for all violations that were attributable to a covered entity’s reasonable cause to $100,000.”

This recent reversal sets the stage for new challenges to monetary penalties received from OCR — especially those resulting from security breaches despite existing safeguards to protect ePHI.

What This Means for You

Data security is among the top threats to independent medical practices’ continuity of care. When your practice experiences a data breach of any scale, it will invariably impact your patients, your team, and your practice. To protect yourself this year, here’s what our team recommends:

Tip #1: Stay Informed.

Like most things in healthcare, the HIPAA landscape is ever changing. The best defense is awareness and pro-activity. Keep an eye out for Zenith Healthcare newsletters to stay on top of compliance updates from our experts.

Tip #2: Set Up Safeguards.

Safeguards may not always prevent a breach, but they can still serve a vital role in protecting you from potential liability and regulatory fines down the road. Password-protect your data and applications; log and monitor data use; secure mobile devices used in the practice; and conduct regular risk assessments to identify potential vulnerabilities. 

Tip #3: Don’t Wait.

Even if an organization is ultimately found “not guilty” of releasing ePHI, the resources needed to defend oneself can be extremely burdensome and the process itself could drag on for years. When it comes to data breaches, it’s a matter of if, not when. Save yourself the potentially catastrophic impact of a data breach by setting up safeguards now.

Prepare Your Practice for 2021 with Our Experts

Our team can help you navigate the ever-changing terrain of HIPAA compliance and to understand the impact that your data security can have on your ability to protect your patients and your bottom line. Contact our team to discuss how our HIPAA Compliance Program can help protect you.

SHARE IT:

Comments are closed.