M.D. Anderson Cancer Center’s $4.3 Million HIPAA Penalty Revoked on Appeal

The U.S. Court of Appeals for the Fifth Circuit has reversed the $4,348,000 HIPAA violation charges enforced by the Department of Health and Human Services’ Office for Civil Rights on the University of Texas M.D. Anderson Cancer Center.

The Civil Monetary Penalty was charged to M.D. Anderson in 2018 after the investigation of three data breaches that were reported to OCR between 2013 and 2014 concerning the loss/stealing of unencrypted gadgets between 2012 and 2013. Two unencrypted flash drives with patient ePHI were missing, and an unencrypted laptop with the ePHI of 29,021 patients was stolen.

The OCR’s investigation determined that M.D. Anderson violated two conditions of the HIPAA Regulations. The first violation was the inability to employ encryption or use another equivalent solution to control access to ePHI saved on electronic units. The second is the failure to stop unauthorized disclosures of ePHI.

HIPAA penalties have levels and are dependent on the degree of liability. OCR established that M.D. Anderson had an acceptable reason to know it violated the HIPAA Rules. OCR computed the right fines to be $1,348,000 for not implementing encryption and $1.5 million annually for the impermissible disclosures of ePHI.

M.D. Anderson contested the financial penalties and had two lost reviews. OCR enforced the civil monetary fines on the Texas healthcare company in June 2018. M.D. Anderson then filed a petition at the 5th Circuit Court of Appeals to examine the decision in April 2019.

M.D. Anderson claimed that the HHS’ Office for Civil Rights is a government agency and went past its authority by issuing the civil monetary fines, considering that M.D. Anderson is a state department and not a ‘person’ that is covered by the Enforcement Provision of the HIPAA. M.D. Anderson furthermore claimed the financial penalty was quite high. At that time it was the third biggest HIPAA penalty to be enforced on just one covered entity for HIPAA regulations violations.

The two unsuccessful reviews brought about the reading of the case by an Administrative Law Judge (ALJ) who waived to rule on whether or not HIPAA, the HITECH Act, any other law applied, nor whether the civil monetary fine was arbitrary or fickle.

The 5th Circuit mentioned that the petition for re-evaluation ought to be approved for the reasonable cause that the CMP breaks the Administrative Procedure Act (“APA”).”

After going over the financial penalty, the Court of Appeals decided that OCR had behaved arbitrarily, and its judgment was capricious and in contrast to the law for about four explanations. As demanded by HIPAA, M.D. Anderson had put in place a process for encryption around 2006, nevertheless, OCR didn’t show that M.D. Anderson had not undertaken enough to safeguard the ePHI of patients. It was merely possible to present that three staff didn’t adhere to M.D. Anderson’s encryption guidelines.

The Court of Appeals likewise identified a problem with the impermissible disclosure component of the judgment. The HIPAA’s meaning of disclosure implies an affirmative act as opposed to a passive loss of data, and furthermore, that ePHI should be exposed to a person external to the covered entity, when that can’t be confirmed in this instance.

The Court of Appeals likewise considered the decision to penalize a number of covered entities for loss/theft events and not others was not consistent. With regards to the penalty amount, under the “reasonable cause” penalty level, the biggest fine for violations of an equivalent provision in a calendar year can’t go beyond $100,000. The ALJ and the Departmental Appeals Board however decided that the annual statutory limitation was $1,500,000.

Adhering to the Court of Appeals petition, OCR accepted that the $4,348,000 financial penalty can’t be rationalized and requested the Court of Appeals to lower the penalty by 10 times to $450,000.

The Court of Appeals determined that the Government had given no legal basis for the civil monetary penalties, left the CMP order, and returned the issue for other proceedings in accordance with the court’s opinion. https://www.ca5.uscourts.gov/opinions/pub/19/19-60226-CV0.pdf

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.