On April 22, 2019, Thora Johnson was quoted in Report on Medicare Compliance regarding The University of Texas MD Anderson Cancer Center's appeal of a $4.3 million civil monetary penalty (CMP) for violating HIPAA privacy and security regulations.
According to the article, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) fined MD Anderson Cancer Center in connection with three breaches that led to the disclosure of 33,500 people's electronic protected health information when mobile devices went missing. MD Anderson argued that CMPs don't apply to "states and state agencies" like MD Anderson, because they were not included in the 1996 HIPAA statute, and OCR overstepped by adding them to the HIPAA regulations.
Johnson says it's an interesting argument, but she's unsure MD Anderson will prevail. "MD Anderson has not addressed the fact that the Department of Health and Human Services foresaw this potential challenge in the preamble to its proposed enforcement regulations. It cited to Supreme Court precedent as the basis for its authority to define 'persons' subject to the CMPs in its regulations broadly enough to include states and state agencies. This may come up in the government's response." Meanwhile, MD Anderson has publicly embraced HIPAA; its notice of privacy practices is on its website, and "state agencies have held themselves out as covered by HIPAA," she says.
If MD Anderson wins, it would put public hospital districts and other state agencies potentially in the position of saying "OCR doesn't have any enforcement authority over us. We are complying because 'it is the right thing to do,'" she says. "We will see in time how strong an argument it is. MD Anderson is certainly pointing out a potential weakness." Either way, states and state agencies may have obligations under other state and federal laws to keep health information private and secure, Johnson notes.