A U.S. appellate court has vacated a $4.3 million HIPAA penalty facing University of Texas MD Anderson Cancer Center, stating in its opinion filed last week that the government’s “decision was arbitrary, capricious, and contrary to law.”
In 2018, a Department of Health and Human Services administrative law judge ruled that MD Anderson violated HIPAA privacy and security rules when it lost the personal health information of more than 33,500 individuals about five years prior.
HHS’ Office for Civil Rights investigated MD Anderson, the renowned Houston-based organization focused on cancer care and research, after three separate data breach reports were filed in 2012 and 2013. The data breaches involved the theft of an unencrypted laptop from an MD Anderson employee and the loss of two unencrypted USB thumb drives.
Following its investigation, the OCR said it found that MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of electronic personal health information until 2011, and it failed to encrypt electronic devices containing that type of information between March 24, 2011, and Jan. 25, 2013.
MD Anderson claimed that it was not obligated to encrypt its devices. It also stated that the personal health information at issue was for research, and so it was not subject to HIPAA’s nondisclosure requirements. The organization appealed the penalty twice but was unsuccessful, until it petitioned the U.S. Court of Appeals for the Fifth Circuit for review.
The court concluded that the penalty imposed by HHS was unlawful. The court details its reasoning, including the fact that though the stolen laptop and USB drives were not encrypted, HIPAA regulations state that covered entities need only implement “a mechanism” for encryption. MD Anderson had implemented several encryption mechanisms, including one to encrypt emails, the court opinion states.
“So MD Anderson satisfied HHS’s regulatory requirement, even if the government now wishes it had written a different one,” the opinion states.
Further, HHS conceded that it could not defend a fine of more than $450,000 after MD Anderson filed its petition for review.
“Our purpose throughout this legal process has been to bring transparency, accountability and consistency to the Office for Civil Rights’ enforcement process,” an emailed statement from MD Anderson reads. “As always, patient privacy remains of extreme importance at MD Anderson. We are committed to respecting HIPAA and the rules of protecting patient information, and we continually evaluate and enhance our data protection and privacy procedures to ensure our high standards are met.”
The appellate court vacated the penalty and remanded the matter for further proceedings consistent with its opinion.
Photo: zimmytws, Getty Images