Holding that the Department of Health and Human Services’s Office for Civil Rights (“OCR”) had imposed an “arbitrary, capricious, and otherwise unlawful” fine, the Fifth Circuit Court of Appeals has vacated a $4.3 million penalty imposed in 2017 on MD Anderson Cancer Center for three data breaches that resulted in the unauthorized disclosure of patients’ protected health information (“PHI”).  These cited violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules stemmed from breaches that occurred in 2012 and 2013, affecting approximately 35,000 patients.

The January 14, 2021 ruling, styled as University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services, reversed an administrative law judge’s finding that initially upheld the penalty.  The underlying OCR investigation had found that MD Anderson had failed to implement a mechanism to encrypt electronic PHI, which was ultimately disclosed in violation of the HIPAA Privacy Rule.  However, the Fifth Circuit found that MD Anderson had indeed applied mechanisms to encrypt electronic PHI, which are not required to provide “bulletproof protection.”  In addition, MD Anderson did not act to release or otherwise provide access to the PHI, and OCR had not proven any individual outside the facility had even received the PHI.

The massive fine, which OCR ultimately conceded “it could not defend,” was part of a growing trend of whopping fines imposed following certain data breaches.  For example, in February 2019, Cottage Health paid a $3 million fine for two breaches, and in October 2019, Jackson Health System paid a $2.1 million fine for three cited HIPAA violations from 2013, 2015, and 2016.  However, the Fifth Circuit also found a capriciousness to OCR’s fines, finding that OCR had not imposed penalties for similar breaches against some other covered entities and could not offer any reason or justification for the difference.

The MD Anderson decision could provide a future roadmap and basis for other covered entities to challenge OCR’s fines for cited HIPAA Security and Privacy Rule violations.

Written by Gavrila Brotz