5th Circuit Overturns $4.3 Million HIPAA Penalty

Written by: Brett Lawrence, Esq.

On January 14, 2021, the United States Court of Appeals for the 5th Circuit overturned a $4.348 million fine issued by the Department of Health and Human Services (“HHS”) for alleged HIPAA violations against the University of Texas M.D. Anderson Cancer Center.

Factual Background

The case arose as a result of HHS’ enforcement action against the hospital for three inadvertent disclosures of electronic protected health information (“ePHI”). In 2012, a hospital faculty member’s laptop was stolen that was not encrypted nor password-protected that contained ePHI on 29,021 individuals. Again in 2012, a hospital trainee lost an unencrypted USB thumb drive holding ePHI of over 2,000 people. Finally, in 2014, a visiting researcher at the hospital misplaced another unencrypted thumb drive with ePHI of nearly 3,600 individuals.

Upon disclosure to HHS, required under HIPAA, HHS in 2017 penalized the hospital $1.348 million for not encrypting its ePHI and $3 million for the inadvertent disclosures. The hospital lost its administrative appeals to an Administrative Law Judge and to HHS’ Departmental Appeals Board, before petitioning the 5th Circuit for review.

5th Circuit’s Decision

In a unanimous decision, the 5th Circuit held that HHS’ hefty fine was “arbitrary, capricious, and otherwise unlawful” for four reasons. First, the 5th Circuit held the hospital did have a mechanism for encrypting ePHI, but the three employees unfortunately failed to abide by the hospital’s HIPAA-compliant encryption mechanism. Second, HHS could not demonstrate that the hospital affirmatively chose to “disclose” the ePHI, or that someone “outside” of the hospital received ePHI, as those terms are defined under HIPAA. Third, HHS violated the bedrock principle of administrative law by not treating the hospital’s data breach the same as other covered entities with similar factual circumstances who suffered from inadvertent disclosure of ePHI. Lastly, HHS misinterpreted the statutory standard for assessing penalties by imposing a fine greater than the per-year statutory cap of $100,000.

The 5th Circuit concluded by stating that HHS “offered no lawful basis for its civil monetary penalties” against the hospital and remanded the matter for further proceedings consistent with its opinion.

Conclusion

Now all that remains is whether HHS will impose smaller fines against the hospital or drop the case entirely. Time will tell whether future aggrieved covered entities will attempt to get its own HHS fines reduced or potentially expunged using this analysis from the 5th Circuit.