The United States Court of Appeals for the Fifth Circuit recently vacated a $4.3 million civil monetary penalty imposed by the Department of Health and Human Services’ Office for Civil Rights (“OCR”) in 2017 against the University of Texas M.D. Anderson Cancer Center (“MD Anderson”). The Court held that OCR’s civil monetary penalty for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule and HIPAA Security Rule was “arbitrary, capricious, and otherwise unlawful.”

The MD Anderson case stemmed from three breaches suffered by MD Anderson in 2012 and 2013 that resulted in the unauthorized disclosure of the protected health information (“PHI”) of approximately 35,000 patients. OCR investigated and imposed the $4.3 million civil monetary penalty, finding that MD Anderson had allegedly, during the calendar years 2011-2013, (1) failed to implement a mechanism to encrypt electronic PHI (“ePHI”) in violation of the HIPAA Security Rule and (2) improperly disclosed PHI in violation of the HIPAA Privacy Rule. MD Anderson appealed the penalty to an administrative law judge (“ALJ”), who upheld the penalty in June 2018.

MD Anderson then appealed the penalty to the United States Court of Appeals for the Fifth Circuit, who undertook a de novo review. The Fifth Circuit vacated the ALJ’s ruling and held that OCR’s actions were “arbitrary, capricious, and otherwise unlawful” for four reasons:

  1. MD Anderson implemented various mechanisms to encrypt ePHI, including an “IronKey” to encrypt and decrypt mobile devices, a mechanism to encrypt emails and various other mechanisms for file-level encryption, and the plain text of the HIPAA Security Rule “does not require a covered entity to warrant that its mechanism provides bulletproof protection of all systems containing ePHI”;
  2. The text of the HIPAA Privacy Rule defines a disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information,” and MD Anderson did not affirmatively act to disclose PHI and OCR did not prove that someone outside the entity received the information;
  3. OCR failed to impose penalties against several other covered entities for similar breaches, and OCR “offered no reasoned justification for imposing zero penalty on one covered entity and a multi-million-dollar penalty on another”; and
  4. The penalty amounts contradicted the HIPAA Enforcement Rule, which limits all penalties within a calendar year for all violations that were attributable to a covered entity’s reasonable cause to $100,000 (a point that OCR conceded, and OCR in fact asked for the penalty to be reduced to $450,000).

The MD Anderson decision may encourage other covered entities or business associates to challenge civil monetary penalties they receive from OCR. As we wrote about in 2019, OCR reduced the maximum annual penalties for most HIPAA violations, though it is unclear whether OCR’s action was a direct response to the MD Anderson case.

Read the court’s holding here.