Can you expect a softer HIPAA enforcement?

What does the recent court overturn of the $4.3 million HIPAA violation against MD Anderson Cancer Center (MDACC) mean for Covered Entities going forward?

Cybersecurity and HIPAA enforcement

 This court action was the first of its kind, but is it an indication we may see more?

To answer that question, we need to take a closer look at the case itself. MD Anderson fought the violation for 2 years, and lost in an earlier court, before obtaining this verdict. So it wasn’t without considerable legal cost to MDACC. It’s also important to note the vulnerability that had been cited by OCR involved their lack of encryption on most of their devices (this was back in 2012). The lack of encryption was recognized in an MDACC risk assessment as a vulnerability, and a plan of action was in place. Unfortunately, two highly publicized breaches in 2012 and 2013 put the spotlight on the organization and caught the attention of OCR. Without going into too much detail, MDACC maintained that the data in question was research-related, and therefore not subject to HIPAA requirements. In the end, it appears MDACC will escape the bulk of the penalty, but the reasons may not be what you expect. 

For starters, subsequent to the first court case, OCR announced a revision of their penalty enforcement interpretation, thereby reducing annual maximum penalties. We’ve discussed this previously. It’s not that OCR is showing a kinder side, it’s more a recognition of the incredible costs entities incur when recovering from a breach, and the penalties were only a small part of that. Another critical component of the overturned ruling was that the court found OCR exceeded their statutory limits and the penalty was therefore excessive. Here’s the statement issued by OCR Director Roger Severino:

“Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits as… $25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and $1.5 million for uncorrected willful neglect,” OCR Director Roger Severino wrote, at the time. “HHS will use this penalty tier structure, as adjusted for inflation, until further notice.”

And that brings us up to date. With this recent announcement, we can expect fewer large penalties to be assessed. While that’s good news, as I mentioned previously, with the financial damage inflicted by a breach of PHI being so significant, a smaller penalty is of little benefit. 

This change may be an opportunity for your organization to re-evaluate your risk profile and to speak with your insurance provider. Our recommendation would be to see this change as an opportunity to harden your defenses against the more sophisticated attacks we’re seeing hitting the healthcare sector. 

If you’d like more details on how you can increase your cybersecurity protections, or evaluate how strong your current protections are, we can help.

Click smart and when in doubt, call the sender before you open or click, or send money to new instructions. 


If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.


For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.