HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights.

The Civil Monetary Penalty was imposed on M.D. Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen.

The Office for Civil Rights investigation concluded that M.D. Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI.

HIPAA penalties are tiered and are based on the level of culpability, with the Office for Civil Rights determining M.D. Anderson had reasonable cause to know it was in violation of the HIPAA Rules. OCR calculated the appropriate penalties to be $1,348,000 for the of lack of encryption and $1.5 million per year for the impermissible disclosures of ePHI.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

M.D. Anderson contested the financial penalties and after two unsuccessful reviews, OCR imposed the civil monetary penalties on the Texas healthcare provider in June 2018. M.D. Anderson then petitioned the 5th Circuit Court of Appeals to review the ruling in April 2019.

M.D. Anderson maintained that the HHS’ Office for Civil Rights is a federal agency and exceeded its authority by imposing the civil monetary penalties, since M.D. Anderson is a state agency and is therefore not a ‘person’ covered by the Enforcement Provision of the Health Insurance Portability and Accountability Act. M.D. Anderson also alleged the financial penalty was excessive. At the time it was the third largest HIPAA penalty to be imposed on a single covered entity for violations of the HIPAA Rules.

The two failed reviews resulted in the case going before an Administrative Law Judge (ALJ) who refused to rule on whether HIPAA, the HITECH Act, any other statute applied, nor whether the civil monetary penalty was arbitrary or capricious.

The 5th Circuit explained, “For the sake of today’s decision, we assume that M.D. Anderson is such a “person” and that the enforcement provision therefore applies. The petition for review nonetheless must be granted for an independent reason: the CMP violates the Administrative Procedure Act (“APA”).”

After reviewing the financial penalty, the Court of Appeals ruled that the Office for Civil Rights had acted arbitrarily, and its decision was capricious and contrary to law for at least four independent reasons. As required by HIPAA, M.D. Anderson had implemented a mechanism for encryption as early as 2006, but the Office for Civil Rights failed to demonstrate that M.D. Anderson had not done enough to secure the ePHI of its patients. It was only possible to demonstrate that three employees had failed to abide by M.D. Anderson’s encryption policies.

The Court of Appeals also found issue with the impermissible disclosure aspect of the decision. The HIPAA definition of disclosure suggests an affirmative act rather than a passive loss of information, and also that ePHI would need to be disclosed to someone outside the covered entity, when that could not be determined in this case.

The Court of Appeals also found the decision to fine some covered entities for loss/theft incidents and not others was inconsistent. Regarding the penalty amount, under the “reasonable cause” penalty tier, the maximum fine for violations of an identical provision during a calendar year may not exceed $100,000. The ALJ and the Departmental Appeals Board nevertheless determined that the per-year statutory cap was $1,500,000.

Following the petition to the Court of Appeals, the HHS’ Office for Civil Rights conceded that the $4,348,000 financial penalty could not be justified and asked the Court of Appeals to reduce the fine by a factor of ten to $450,000.

The Court of Appeals concluded that the Government had offered no lawful basis for the civil monetary penalties, vacated the CMP order, and remanded the matter for further proceedings consistent with the court’s opinion.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.