Health IT, Hospitals, Legal

MD Anderson doesn’t have to pay $4.3M HIPAA penalty, court rules

An appellate court lifted a $4.3 million HIPAA fine imposed on the Texas-based cancer care center two years ago for losing the personal health information of more than 33,000 people.

A U.S. appellate court has vacated a $4.3 million HIPAA penalty facing University of Texas MD Anderson Cancer Center, stating in its opinion filed last week that the government’s “decision was arbitrary, capricious, and contrary to law.”

In 2018, a Department of Health and Human Services administrative law judge ruled that MD Anderson violated HIPAA privacy and security rules when it lost the personal health information of more than 33,500 individuals about five years prior.

HHS’ Office for Civil Rights investigated MD Anderson, the renowned Houston-based organization focused on cancer care and research, after three separate data breach reports were filed in 2012 and 2013. The data breaches involved the theft of an unencrypted laptop from an MD Anderson employee and the loss of two unencrypted USB thumb drives.

Following its investigation, the OCR said it found that MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of electronic personal health information until 2011, and it failed to encrypt electronic devices containing that type of information between March 24, 2011, and Jan. 25, 2013.

MD Anderson claimed that it was not obligated to encrypt its devices. It also stated that the personal health information at issue was for research, and so it was not subject to HIPAA’s nondisclosure requirements. The organization appealed the penalty twice but was unsuccessful, until it petitioned the U.S. Court of Appeals for the Fifth Circuit for review.

The court concluded that the penalty imposed by HHS was unlawful. The court details its reasoning, including the fact that though the stolen laptop and USB drives were not encrypted, HIPAA regulations state that covered entities need only implement “a mechanism” for encryption. MD Anderson had implemented several encryption mechanisms, including one to encrypt emails, the court opinion states.

“So MD Anderson satisfied HHS’s regulatory requirement, even if the government now wishes it had written a different one,” the opinion states.

Further, HHS conceded that it could not defend a fine of more than $450,000 after MD Anderson filed its petition for review.

“Our purpose throughout this legal process has been to bring transparency, accountability and consistency to the Office for Civil Rights’ enforcement process,” an emailed statement from MD Anderson reads. “As always, patient privacy remains of extreme importance at MD Anderson. We are committed to respecting HIPAA and the rules of protecting patient information, and we continually evaluate and enhance our data protection and privacy procedures to ensure our high standards are met.”

The appellate court vacated the penalty and remanded the matter for further proceedings consistent with its opinion.

Photo: zimmytws, Getty Images

 

 

 

 

 

Shares0

This article is featured in the Healthcare Docket newsletter, a partnership between Breaking Media publications MedCity News and Above the Law.

Enter your email address to subscribe.

Shares0