- The case, University of Texas M.D. Anderson Cancer Center vs. U.S. Department of Health and Human Services
- How the Fifth Circuit toppled the case
- Implications for OCR and HIPAA definitions
Read more below.
The Fifth Circuit U.S. Court of Appeals in Louisiana recently vacated over $4.3 million in penalties levied against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) by the Department of Health and Human Services Office for Civil Rights (OCR) for a series of alleged HIPAA violations.
The case, University of Texas M.D. Anderson Cancer Center vs. U.S. Department of Health and Human Services (HHS), is built on three separate incidents that occurred between 2012 and 2013, involving lost or stolen electronic devices belonging to M.D. Anderson workers, which contained unencrypted protected health information (PHI aka ePHI).
After investigating the occurrences, HHS fined M.D. Anderson a total of $4,348,000. The medical group proceeded to contest the penalties through HHS’ administrative review process, upon which both the administrative law judge (ALJ) and the Department of Appeals Board upheld the penalties.
Here’s where it gets interesting. Upon the appeal, in a strong-worded opinion, the Fifth Circuit determined that HHS’s civil monetary penalties were “arbitrary, capricious, and contrary to law” and went so far as to vacate the penalties through a series of four arguments.
4 Planks to Vacate HHS Penalties
- Encryption: The Fifth Circuit argued that covered entities are required to implement a mechanism to encrypt and decrypt ePHI and that M.D. Anderson had taken the necessary precautions to give staff access and training for these tools, even if the staffers hadn’t implemented the measure before the items were lost/stolen.
- Disclosure: In defense of vacating the fines, The Court of Appeals found issue with whether or not ePHI had actually been exposed to an outside entity as there was no specific proof of such exposure and the HIPAA Rules do not prohibit disclosures of ePHI to any someone, which is to say the ePHI must be disclosed to someone outside of the covered entity.
- Comparable Penalties: A similar breach at Cedars-Sinai Health System, where an unencrypted laptop containing the ePHI of 33,000 patients was lost. However, the resulting verdict imposed no financial penalty. The Court of Appeals said in its ruling that no explanation was given by the government as to why one case attracted a financial penalty and the other did not.
- Penalty Amounts: After an initial Notice of Enforcement Discretion, OCR imposed a maximum fine of $1.5 million per year diminished to a maximum of $100,000 per year. After the case was appealed, OCR conceded that the maximum financial penalty that could be justified was $450,000 and requested the fine be reduced.
What’s in Store for HIPAA?
Adam Greene, a Partner at Davis Wright Tremaine and former HHS OCR senior advisor remarks that this case has a number of large impacts on HIPAA,
“The ruling undermines the entire OCR enforcement approach, indicating that it is arbitrary and capricious for OCR to select a few cases for financial enforcement if the result is that similar fact patterns are enforced differently.”
—Adam Greene, Davis Wright Tremaine
First and foremost, we’re looking at the first court decision regarding an HHS HIPAA enforcement action that vacated HHS’ penalties, and it was achieved through multiple defended positions. The encryption and disclosure arguments provide an interesting look at how responsibility for data protection may change and a shifting definition of “responsibility” that must be exercised by covered entities.
Secondly, the ruling sets a precedent for HHS’s ability to impose fines based on previous rulings and reinforced the lower interpretation of annual HIPAA caps for multiple violations from $1.5 million to $100,000 per year.
If OCR is unable to enforce HIPAA privacy violations their authority in the arena is severely capped. If HHS chooses not to appeal The Fifth Circuit’s ruling, it may force OCR to propose sweeping changes to how HIPAA’s privacy or security rules define violations and mandate repercussions from mishandled ePHI.
The decision illustrates that, typically, if covered entities demonstrate proactive steps to ensure encryption mechanisms are in place before data privacy incidents occur, they’ve successfully mitigated risk, despite the loss of ePHI.
Bookmark our blog to stay up-to-date on the latest regulations and rulings surrounding HIPAA.