Cancer Center appeals $4.3 Million Penalties for HIPAA Breaches

In 2012 and 2013, the University of Texas MD Anderson Cancer Center (the “Cancer Center”) exposed protected health information pertaining to approximately 35,000 individuals. The Cancer Center has been involved in the appeals process regarding penalties imposed by the federal Office for Civil Rights (“OCR”) of approximately $4.3 million associated with the HIPAA breaches.

The Cancer Center is now arguing, in a suit filed in the U.S. District Court for the Southern District of Texas against the Secretary of the federal Department of Health and Human Services, that the OCR lacks authority under HIPAA to fine the Cancer Center because it is a type of state agency and because the fines are excessive.

Although the OCR is often able to reach settlements with entities that it believes to have violated HIPAA, no such settlement was reached in this situation despite the fact that settlement efforts were made. The alleged breaches in this situation derive from a stolen laptop, two missing USB drives, and the Cancer Center’s failure to implement access controls (specifically encryption and decryption).

Previously, the Cancer Center’s appeal focused on claims that the HIPAA Security Rule does not require encryption and that HIPAA does not apply to research data. Both of those claims were unsuccessful at earlier stages in the appeals process. The Cancer Center’s current appeal focuses on the Cancer Center being exempt from HIPAA and on the civil money penalties being unreasonably high. In part, its argument that the penalties are inappropriate stems from the fact that the alleged violations were caused by 3 employees, out of more than 21,000 employees over a 2 year period. In addition, the Cancer Center argues that the fines were the maximum amount that the OCR could impose in a situation in which PHI was intentionally disclosed to cause harm and where such harm occurred, which makes them unreasonable in this situation. Further, the Cancer Center continues to argue that it had appropriate policies in place and that it was not required to encrypt the data.

The Cancer Center’s argument for exemption from HIPAA civil monetary penalties stems from the fact that HIPAA permits fines to be imposed on a “person,” which term includes private and public entities, but does not include states or state agencies. This argument has broad implications because, if the Cancer Center prevails, then any entity that is a part of a state entity (including, possibly, state health plans, state health care organizations, and state Medicaid plans) can argue that it not a “person” that is subject to HIPAA.

Benkoff Health Law represents health care providers and suppliers in advising clients about HIPAA compliance and creating policies to comply with HIPAA.If you have any questions about HIPAA or any other health care regulatory compliance questions, please contact Benkoff Health Law at (248) 482-2780 or via email at You may also subscribe to our health law blog by adding your email at the top of this page.