OCR to Ease HIPAA Enforcement for Web-Based Scheduling of COVID-19 Vaccinations

On February 12, 2021, the Office for Civil Rights (“OCR”) of the U.S Department of Health and Human Services (“HHS”) provided additional information regarding its previously-announced discretion in the enforcement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act related to privacy, security, and date breaches. OCR stated that it will not penalize covered entities or their business associates for non-compliance under HIPAA for the good faith use of online or web-based scheduling applications (“WBSAs”) for scheduling COVID-19 vaccination appointments during the COVID-19 pandemic.

During the COVID-19 public health emergency, covered entities, such as large pharmacy chains, or business associates acting on behalf of the covered entities, are permitted to use WBSAs to schedule individual appointments for COVID-19 vaccinations. For the purposes of this exercise of discretion, a WBSA is defined as an online or web-based application that only allows the intended parties to access the data and that provides individual appointment scheduling related to large-scale COVID-19 vaccination efforts. Technology that directly connects to electronic health records (“EHR”) systems used by covered entities is excluded from the definition of a WBSA. The HIPAA privacy rules allow business associates of a covered entity to use and disclose protected health information (“PHI”) for certain functions, only as dictated by a business associate agreement. During the COVID-19 pandemic, however, covered entities need to schedule a large number of vaccine appointments and often do this through the use of WBSAs. Some of these online scheduling applications, and the way in which covered entities use them, may not comply with the HIPAA privacy rules. Furthermore, vendors of the WBSAs may not know providers are using these applications to create and send PHI, potentially making the WBSA vendors business associates under HIPAA.

OCR will exercise discretion in the enforcement of HIPAA privacy rules and will not penalize covered entities, their business associates, or WBSA vendors who are technically business associates, for noncompliance as it relates to the scheduling of individual COVID-19 vaccination appointments during the COVID-19 pandemic. This enforcement discretion applies to covered healthcare providers and their business associates, which are, in good faith, using WBSAs to schedule COVID-19 vaccination appointments, as well as WBSA vendors whose platforms are being used to schedule COVID-19 vaccination appointments. Discretion does not apply to covered entities or business associates for activities unrelated to the scheduling of COVID-19 vaccinations or if the covered providers or business associates fail to act in good faith. Instances where a covered entity or business associate is not considered to be acting in good faith include: (i) the use of a WBSA that allows the sale of personal information collected; (ii) the use of a WBSA for purposes other than scheduling COVID-19 vaccination appointments; (iii) the use of a WBSA without reasonable safeguards to protect the PHI; and (iv) the use of a WBSA to screen individuals for COVID-19 before an in-person visit.

George W. Bodenger, Esquire
Law Offices of George W. Bodenger, LLC
575 S. Goddard Blvd, #213
King of Prussia, PA 19406
Office (610) 212-5031
Fax – (484) 416-0229

Continue Reading

CMS Implements Changes to Prior Authorization Regulations

On January 15, 2021, the Centers for Medicare & Medicaid Services (“CMS”) issued the final rule for CMS Interoperability and Prior Authorization (the “Final Rule”) to improve the prior authorization process and give patients more control in accessing and understanding their health information. Under the Final Rule, certain payers, such as Medicaid and CHIP managed care plans, state Medicaid and CHIP fee-for-service (“FFS”) programs and those that issue individual market qualified health plans (“QHPs”) on the federally-facilitated exchanges (“FFEs”) must develop and implement technology known as application programming interfaces (“APIs”). APIs are commonly used in smartphone applications, and when incorporated into electronic health records (“HER”), can enable simple and immediate access to health information for providers.

Each payer covered by the Final Rule must create a documentation search capability driven by an API, and make the program public, allowing providers to access health documentation and prior authorization requirements from various EHR platforms. Once a provider determines what each prior authorization requires, the authorization can then be submitted electronically. Payers are also required to provide, under the already established patient access API, laboratory results and other claims and encounter data, as well as information regarding a patient’s pending and active prior authorizations.

Payers are also required to share this data with a patient’s provider if requested, and with other payers, in circumstances where a a patient’s coverage or provider changes. This requirement will allow patients, providers, and payers to have access to all the necessary data when needed, automating the process and reducing the administrative burden on providers. As a result, providers will be less likely to work with incomplete health information and the likelihood of repeat prior authorization requests will decrease, resulting in more time the provider has to spend with the patient. Notably, Medicare Advantage plans are not subject to the requirements of the Final Rule; however, CMS is continuing to consider whether Medicare Advantage plans should be included.

Under the Final Rule, payers will have up to 72 hours to make prior authorizations on urgent requests, and 7 calendar days for non-urgent requests. All payers covered by the Final Rule must provide an exact reason for any denial, giving providers increased transparency in the authorization process. To further encourage accountability, payers are also required to make public statistics related to prior authorizations that illustrate how the payer operates its prior authorization process.

The Final Rule will benefit patients as well; patients will have a better understanding of the prior authorization process, and will be able to better coordinate with their provider to properly plan for their healthcare needs. Patients will also have easier access to their health information and can take their information with them as they change plan

Continue Reading

CMS Finalizes Overhaul To Stark And Anti-Kickback Laws

On November 20, 2020, the Centers for Medicare & Medicaid Services (“CMS”) released the final rules amending two (2) of the primary bodies of federal law governing commercial conduct in the healthcare industry, the physician self-referral prohibitions (known as the “Stark Law”) and the Anti-Kickback Statute (“AKS”).  The Stark Law and AKS were initially created for a fee-for-service healthcare system, where there are financial incentives to provide more services to patients.  Efforts to clarify these outdated laws began in 2018, with the goal of accommodating changing financial arrangements triggered by the shift from fee-for-service to value-based care in the U.S. healthcare system.

The Stark Law, was initially enacted to prohibit physicians from making referrals to entities with which they had a financial relationship (i.e., ownership interest, compensation arrangement).  The final rule creates exceptions for specific value-based payment arrangements among and between various providers and suppliers, and offers new guidance for providers with a financial relationship governed by the Stark Law.  Under the rule, a value-based arrangement is one that provides at least one (1) value-based activity to a patient between the value-based enterprise and at least one of its participants, or the participants in the same value-based enterprise.  A value-based activity can mean the provision of a service, an action, or refraining from taking an action, so long as the activity reasonably related to the achievement of a value-based purpose.

The final rule creates three (3) new exceptions to the Stark Law:

  1. Value-based arrangements for participants in a value-based enterprise that is financially responsible for, and assumes the entire prospective financial risk, for the cost of all related patient care items and services for every patient;
  2. Value-based arrangement remuneration to physicians at meaningful downside financial risk of failing to reach the value-based purpose of the enterprise; and
  3. Value-based compensation arrangements, no matter the risk undertaken by the enterprise or participants. This exception also allows for monetary and nonmonetary remuneration among the parties.

The AKS is a criminal statute, focused on the intent of the provider, that prohibits intentional remuneration, in cash or in kind, in exchange for referrals of items and services reimbursable by a Federal healthcare program. This final rule adds new safe harbors to protect specific payment practices and business arrangements from AKS penalties to allow for improved coordination and patient care management and value-based care.  Under the final rule, three (3) new AKS safe harbors are created:

  1. Care coordination arrangements that enhance quality, health outcomes, and efficiency, without necessitating that the participants assume risk. Protected remuneration under this safe harbor must be mainly used to engage in value-based activities directly associated with coordination and management of patient care;
  2. Value based arrangements involving the exchange of remuneration among a value-based entity that has substantial downside financial risk from a payor and a value-based participant that meaningfully shares in this financial risk; and
  3. The protection of remuneration between value-based entity and value-based participant in a value-based arrangement in which the entity assumes full financial risk for the cost of items and services covered by the payor for each patient.

These new Stark Law exceptions and AKS safe harbors are receiving mixed reviews from healthcare providers.  Hospital industry groups such as the American Hospital Association and the Federation of American Hospitals were optimistic about the regulatory changes, while physician groups such as the American Medical Group Association expressed some degree of skepticism. ______________________________________________________________

Law Offices of George W. Bodenger, LLC is a boutique legal practice providing sophisticated legal services to various types of healthcare providers.  The Firm plans to issue additional commentary on these important changes to the Stark Law and the AKS.  Please contact George W. Bodenger at 610-212-5031 or if you have any questions regarding these matters or if you would like additional information about the Firm.

Continue Reading

Providers Must Apply by November 6, 2020 for a Share of $20 Billion CARES Act Distribution

As stated in our previous blog post, on October 1, 2020, HHS announced it would be allocating an additional $20 billion as its Phase 3 General Distribution from the Provider Relief Fund (“PRF”) through the CARES Act. This Phase 3 General Distribution is intended for providers who were either excluded from the initial two (2) phases, or who were eligible under the first two (2) phases but require additional funding to cover ongoing financial losses incurred during the pandemic.  Time is running out for health care providers to apply to HHS for these funds. The application deadline for what may be the final round of relief funds is November 6 at 11:59 pm EST.  HHS urges providers to apply as soon as practicable. The applications are accepted on a rolling basis, so HHS asks that providers not apply during the final days of the application period.

The following paragraphs highlight key information regarding the Phase 3 General Distribution:

Who Can Apply?

The following providers are eligible for Phase 3 General Distribution funding: (1) providers who have previously received, rejected or accepted a General Distribution PRF payment; (2) behavioral health providers, including those that have previously received funding; and (3) healthcare providers that began providing services from January 1, 2020 through March 31, 2020.

On October 22, 2020, HHS announced that additional providers, such as residential treatment facilities, chiropractors, and eye and vision providers that have not yet received PRF distributions, are also eligible to receive funds from this last distribution.

When Will Distributions Be Made?

HHS will issue Phase 3 – General Distribution payments as soon as practicable after the November 6th application deadline.  Entities that have not yet received two percent (2.0%) of annual revenue from patient care will be first to receive funds from the Phase 3 General Distribution.

The Phase 3 final payment amounts for applicants that have already received payments equaling two percent (2.0%) of annual patient care revenue will be determined once all applications have been received and reviewed.

How Will HHS Calculate 2% of Annual Revenue for Providers in Operation Less Than a Year?

Providers that began providing patient care in 2020 will be paid approximately 2% of patient care revenue based on the applicant’s reported financial information for those months in 2020 that they were in operation.

HHS has also stated that it may consider data from the same type of provider as the applicant when assessing the amount to be paid.  However, no additional details have been provided regarding how that assessment of similar providers will be utilized to assess funds to be received.

How Will Distributions Over 2% of Annual Revenue Be Calculated?

The Phase 3 General Distribution will also take into account the financial impact of COVID-19 on individual providers and assess whether additional funds should be distributed to certain providers. The actual additional amount to be received will depend in part on the CARES Act funds available after the Phase 3 General Distribution to those that have not yet received an amount equivalent to 2% of annual revenue.

In assessing whether to award a provider additional funds over the two percent (2.0%) annual revenue amount, HHS will consider: (1) a provider’s change in operating revenue from patient care; (2) a provider’s change in operating expenses from patient care, including coronavirus expenses, and (3) payments received by the provider as part of previous Targeted Distributions.

Providers are encouraged to start the application process as soon as possible so as to not miss out on what may be the last general distribution of funds.


If you or your healthcare organization has any questions pertaining to Provider Relief Fund reporting, audits, or healthcare compliance, please contact George W. Bodenger at 610-212-5031 or

Continue Reading

Provider Relief Fund Introduces Phase 3 General Distribution

Around the time of the start of the coronavirus (“COVID-19”) pandemic, Congress established the Provider Relief Fund (“PRF”) through the CARES Act in order to help providers who were financially damaged by COVID-19.  Through October 1, 2020, there were two (2) phases for general funding, and multiple targeted allocations. The Phase 1 General Distribution allocated $30 billion to eligible providers, and the Phase 2 General Distribution allocated $20 billion to eligible providers, to be distributed by the U.S. Department of Health and Human Services (“HHS”).  In addition to the general distributions, HHS also provided several targeted allocations, including to areas which were hit especially hard by COVID-19, including rural healthcare providers and skilled nursing facilities.

On October 1, 2020, HHS announced it would be allocating an additional $20 billion as its Phase 3 General Distribution. This Phase 3 General Distribution is intended for providers who were either excluded from the initial two (2) phases, or who were eligible under the first two (2) phases but require additional funding to cover ongoing financial losses incurred during the pandemic. The application period for this funding began on October 5, 2020 and will end on November 6, 2020.  HHS urges providers to apply as soon as practicable. The applications are accepted on a rolling basis, so HHS asks that providers not apply during the final days of the application period.

The following providers are eligible for Phase 3 General Distribution funding: (1) providers who have previously received, rejected or accepted a General Distribution PRF payment; (2) behavioral health providers, including those that have previously received funding; and (3) healthcare providers that began providing services from January 1, 2020 through March 31, 2020. All providers who receive payments must attest to receiving the payment and accept the associated terms and conditions.

HHS will be using the following criteria in making payment determinations: (1) whether the provider has previously received a PRF payment equal to two percent (2.0%) of patient services revenue; (2) any change in operating revenues from patient care services; (3) any change in operating expenses from patient care services; and (4) any payment already received through prior PRF distributions that represented less than two percent (2.0%) of patient services revenue.

Behavioral health providers are a particular focus of this Phase 3 General Distribution.  Although some were eligible for earlier general distributions, HHS has made it a point to include all behavioral health providers as eligible in this Phase 3 General Distribution. As the COVID-19 pandemic has progressed, the prevalence of symptoms of anxiety in the U.S. has increased from 8.1% in 2019 to 25.5% in 2020, and the prevalence of symptoms of depressive disorder grew from 6.5% in 2019 to 24.3% in 2020.  As a result, many behavioral health providers had to adopt new telehealth technologies to provide patient care—which required a significant amount of funding.  This distribution is intended to assist with these increased costs and increased utilization of behavioral health services.


If you or your healthcare organization has any questions pertaining to Provider Relief Fund reporting, audits, or healthcare compliance, please contact George W. Bodenger at 610-212-5031 or

Continue Reading


As anticipated, plaintiffs’ lawyers are advertising in various media forms for plaintiffs infected by COVID-19, and new COVID-19 personal injury lawsuits are being filed at a steady pace.  In recent lawsuits, for example, employees and customers are seeking to recover for financial and emotional damages caused by long-term COVID-19 symptoms and, in certain limited circumstances, even death. These developments suggest that companies are likely to see increased personal injury litigation alleging the transmission of COVID-19.

The following paragraphs set forth certain common questions and considerations about COVID-19 litigation matters.

If an employee sues for an alleged transmission of COVID-19 during work hours, does workers’ compensation exclusivity apply?

State laws vary greatly as to whether illness or death from COVID-19 contracted during work hours is exclusively covered by state workers’ compensation programs. A few states, such as California, adopted a rebuttable presumption that certain categories of workers are presumed to have contracted a workers’ compensation occupational disease if they become ill with COVID-19. Most states have not adopted a rebuttable presumption and allow employers to deny claims where the employee’s infection more likely occurred outside of work, such as during a period of extensive community spread.  Even if an employee’s workers’ compensation claim is denied, employers may argue that state exclusive remedy protections bar tort claims outside the workers’ compensation system.

However, many states recognize an exception to workers’ compensation exclusive remedy protections in instances of gross negligence or intentional harm. Recent COVID-19 related complaints filed in state or federal courts attempt to fit within these exceptions by alleging that employees were denied access to adequate personal protective equipment, or that employees received false information about the safety of the workplace and the likelihood of contracting COVID-19 at work. Regardless of whether these allegations are true, they are designed to circumvent workers’ compensation exclusive remedy provisions.

Is there tort immunity for companies that follow mitigation guidelines?

A few states have passed laws limiting tort liability for in-state businesses. To date, Idaho, Nevada, North Carolina, Oklahoma, Utah and Wyoming have passed laws granting some measure of immunity to businesses for injuries related to the transmission of COVID-19, and legislation is pending in many other states and at the federal level. These laws vary greatly as to the types of businesses covered and the extent to which businesses must follow local health department guidance to qualify for the immunity. In addition, immunity may not apply in cases where plaintiffs allege gross negligence or intentional torts — the same types of allegations that may create an exception to workers’ compensation exclusivity referenced above. Many of the complaints already filed contain similar allegations of intentional wrongdoing by the defendant businesses.

How soon do injured workers or customers need to file their personal injury lawsuits?

Most states require civil tort claims be filed two (2) years after injury; a few states extend the statute of limitations to three (3) years. For injuries or deaths occurring early in the pandemic, the statute of limitations will not begin to run out until March of 2022, meaning companies will continue to face potential litigation for several years after the pandemic subsides.

What can I do to prepare my business for potential lawsuits?

While there is no way to prevent exposure to potential lawsuits alleging workplace COVID-19 exposure, there are some steps that can reduce that risk and position a business to successfully defend a lawsuit. Those include:

  • Following Occupational Safety and Health Administration (OSHA), Centers for Disease Control and Prevention (CDC), and state and local requirements and guidelines, which continue to change over time.
  • Creating and updating a written COVID-19 prevention plan and policies that document measures taken and when.
  • Responding promptly to employee complaints about COVID-19 safety and documenting those complaints as well as the company’s response.
  • Staying abreast of what others in your industry are doing and employee claims they may be facing.
  • Legal developments are rapidly changing as the pandemic unfolds, and understanding evolving regulatory requirements, industry best practices and litigation trends are key to effective preparation.

Continue Reading

Private Equity Firms Purchasing Medical Practices Are in Congress’ Crosshairs with Legislation Calling for Transparency

Federal lawmakers are scrutinizing private equity firms they believe are major culprits of surprise medical bills.

In 2019, the House Energy and Commerce Committee launched a bipartisan investigation last year into private equity firms’ role in surprise billing.  During this investigation, Committee leaders contacted the leaders of major private equity firms (including Blackstone Group, KKR and Welsh, Carson, Anderson & Stowe) to obtain information and documents surrounding their ownership of physician staffing and emergency transportation companies.  Committee leaders said that Blackstone had sought to acquire the emergency department staffing firm EmCare and KKR was seeking to acquire the physician staffing firm TeamHealth.  The Committee found that these physician staffing firms charge significantly higher in-network rates than their counterparts, thereby driving reimbursement upwards as they enter into staffing arrangements with hospitals and health systems.

This past week, the House Ways and Means Committee announced a legislative initiative to force private equity firms that own and manage physician practices to provide the federal government with information on Medicare payments and real estate investments. The legislation is the latest bid by federal lawmakers to scrutinize such firms that critics have said are a driving force behind surprise medical bills.  Among other things, the bill would require private equity owners that have a controlling stake in medical providers to file information with the IRS on Medicare reimbursement and the mortgage and rent payments the firms get from the providers.  Supporters of the bill seek this transparency to better understand how this segment of the market affects the U.S. healthcare system.

Democrats are concerned about reports that private equity-owned provider groups have been major culprits of foisting surprise medical bills on patients and driving up costs, accusing certain practice groups acquired by private equity firms of employing strategies that inflate costs for patients. The House is working on a package which will include legislation to limit surprise medical bills, which has major bipartisan support.  Major Republican opposition, however, could stymie that plan, as certain Republican leaders have slammed the bill as unfairly targeting one sector of the industry.

George W. Bodenger, Esquire
Law Offices of George W. Bodenger, LLC
40 E. Montgomery Avenue, 4th Floor
Ardmore, PA 19003
Office (610) 212-5031
Fax – (484) 416-0229

Continue Reading

United States Files False Claims Act Complaint against South Dakota Neurosurgeon and Physician-Owned Distributorships

In November 2019, the United States filed a complaint against Sioux Falls, South Dakota, neurosurgeon Wilson Asfora M.D., Medical Designs LLC, and Sicage LLC alleging False Claims Act violations arising from the alleged payment of kickbacks to Asfora linked to the devices he used in spinal surgeries. Medical Designs LLC and Sicage LLC are medical device distributorships in South Dakota owned and operated by Asfora. Such entities are also known as “physician-owned distributorships” or “PODs”. This lawsuit follows a recent $20.45 million settlement between the government and the hospitals where Asfora performed such surgeries, Sanford Medical Center and the Sanford Clinic of Sioux Falls, South Dakota. The hospitals were alleged to have knowingly submitted false claims to federal health care programs for reimbursement for inpatient services provided in connection with Asfora’s surgeries.

The government’s complaint alleges that Asfora, Medical Designs, and Sicage engaged in multiple kickback schemes designed to pay Asfora hundreds of thousands of dollars in exchange for Asfora using spinal devices distributed by Medical Designs and Sicage in his spine surgeries. Despite receiving numerous warnings that he was performing medically unnecessary procedures with the devices in which he had a financial interest, Asfora allegedly continued to perform such procedures while personally profiting from his use of devices sold by Medical Designs and Sicage.

As a general matter, the government views physician ownership of PODs as potentially affecting clinical decision-making, i.e., causing physicians to choose a medical device in which they have a financial interest rather than another device that may be more appropriate for the patient or being influenced to perform unnecessary surgeries. The U.S. Department of Health and Human Services – Office of Inspector General (“OIG”) issued specific guidance addressing physician investments in medical device manufacturers and distributors in an October 6, 2006 letter. In that letter, the strong potential for improper inducements between and among the physician investors, the entities, device vendors, and device purchasers was noted in the context of federal healthcare program fraud and abuse laws.

More recently, in March 2013, OIG issued a Special Fraud Alert regarding PODs that derive revenue from selling, or arranging for the sale of, implantable medical devices ordered by their physician-owners for use in procedures the physician-owners perform on their own patients at hospitals or ambulatory surgical centers. This Special Fraud Alert focused on the specific attributes and practices of PODs that OIG believes produce substantial fraud and abuse risk and pose dangers to patient safety.

As a consequence of this substantive guidance spanning over many years, POD activity has been minimal across the United States, particularly since 2013. The South Dakota case, however, is instructive in that it demonstrates the vulnerability of rural health care providers to entering into questionable arrangements with unscrupulous actors due to the dearth of legal experience among lawyers in these remote areas. More often than not, such questionable arrangements are routinely dismissed in geographic markets with sophisticated health care providers and their legal counsel.

Continue Reading

Insurance Fraud Case Against Physician-Owned Pharmacies Over Alleged “Kickbacks” Dismissed

On September 13, 2019, a Pennsylvania judge dismissed a lawsuit brought by Liberty Mutual Insurance Companies against nine (9) pharmacies and their minority physician owners over allegations that the physicians were receiving unlawful kickbacks when they prescribed compounded cream medications to workers’ compensation program beneficiaries, which prescriptions were filled by pharmacies in which the physicians held minority ownership interests.

The Philadelphia Court of Common Pleas granted summary judgment to the pharmacies in Liberty Mutual Group, v. 700 Pharmacy, LLC,, finding that the plaintiffs failed to show that the pharmacies’ ownership structure or the physicians’ “self-referrals” were unlawful. The ruling dismissed the case entirely and cleared the pharmacies and the physician owners of any liability.

Liberty Mutual argued that the ownership of the pharmacies by the physicians provided a means for the defendant physicians to be paid illegal kickbacks for the prescriptions. As stated in the Judge’s opinion, “Physician ownership is not prohibited by the Pharmacy Act as long as the practitioner holding a proprietary or beneficial interest in the pharmacy does not exercise supervision or control over the pharmacist in his professional responsibilities and duties…. The evidence shows that the interest owned by the physicians is not more than 49%, a percentage which has been approved by the Pharmacy Board.” He also noted that the physicians referring patients to pharmacies they partly owned disclosed their ownership interests to their patients.

It is important to note that the pharmacies sold prescription drugs only to workers’ compensation and auto-accident patients, and not to patients who were beneficiaries of the Medicare or Medicaid programs. Physician-owned pharmacies, even with minority physician ownership, are generally prohibited under the federal physician self-referral prohibitions, which are commonly known at the “Stark Law”. The Stark Law defines outpatient pharmacies as a “designated health service” and physicians are strictly prohibited from have ownership interests in entities that provide “designated health services”, unless an exception is satisfied. The pharmacy ownership structures in Liberty Mutual Group vs. 700 Pharmacy, LLC, as described in court documents, do not appear to be able to satisfy the requirements of any exception under the Stark Law and would be considered illegal.

George W. Bodenger, Esquire
Law Offices of George W. Bodenger, LLC
40 E. Montgomery Avenue, 4th Floor
Ardmore, PA 19003
Office (610) 212-5031
Fax – (484) 416-0229

Continue Reading


An administrative law judge (“ALJ”) recently ruled that the University of Texas MD Anderson Cancer Center (“MD Anderson”) in Houston must pay a $4.3 million fine to HHS Office of Civil Rights (“OCR”) for HIPAA data privacy and security violations. It is the fourth largest HIPAA-related settlement ever paid to the OCR. The ALJ fines included daily fines for MD Anderson’s non-compliance over a 22-month period and annual fines of $1.5 million for each of two calendar years. With respect to the $4.3 million penalty, the ALJ noted that MD Anderson is a “multi-billion dollar per year business” and “remedies in this case need to be more than a pinprick in order to assure that [MD Anderson] and similarly situated entities comply with HIPAA’s non-disclosure requirements.” MD Anderson plans to appeal this decision.

In 2012 and 2013, a series of data breaches occurred at MD Anderson: (i) an employee’s laptop was stolen; (ii) a company trainee lost a thumb drive; and (iii) a visiting researcher lost another thumb drive. Altogether, these devices contained records of approximately 33,800 patients. The OCR’s investigation revealed that at the time of these breaches, MD Anderson had written policies requiring encryption. Notwithstanding the policies, MD Anderson did not begin encrypting laptops for multiple years thereafter and the ALJ noted in his written opinion that MD Anderson “made only half-hearted and incomplete efforts at encryption.” MD Anderson recognized the need to encrypt data in 2006. The ALJ opinion noted that as of November 2013 more than 4,400 MD Anderson computers were not encrypted and that as of January 2014 more than 2,600 MD Anderson computers were not encrypted. Further, an MD Anderson 2011 risk analysis had identified the lack of an enterprise-wide encryption solution as a “high risk” area. Because the lost health records were not encrypted, the OCR determined that MD Anderson violated the HIPAA privacy and security rules.

The MD Anderson ruling demonstrates the importance of an effective HIPAA security program and the importance of timely efforts to ensure full compliance. In particular, (i) areas identified as “high risk” in HIPAA risk analyses should be addressed as quickly as possible; and (ii) covered entities and business associates should develop and implement their policies. The amount of penalties in this matter serves as an important reminder of the costly impact of HIPAA non-compliance.

Continue Reading

Attorney George W. Bodenger


  • Member, American Bar Association, Health Law Section
  • Member, American Health Lawyers Association
  • Member, American Health Lawyers Association Accountable Care Organization Task Force.


  • J.D., Temple University James E. Beasley School of Law
  • M.B.A., Drexel University, summa cum laude
  • B.S., Pennsylvania State University

Bar Admission(s)

  • Pennsylvania
  • New Jersey


May 2021
« Mar