The United States Court of Appeals for the Fifth Circuit recently fined the University of Texas MD Anderson Cancer Center $ 4.3 million by the Department of Health and Human Services’ Civil Rights Office (“OCR”) (“MD Anderson”). The Court ruled that OCR’s fine for alleged violations of the Health Insurance Portability and Accountability Act 1996 (“HIPAA”) and the HIPAA security rule was “arbitrary, capricious and otherwise illegal”.
The MD Anderson case arose out of three violations by MD Anderson in 2012 and 2013 that resulted in the unauthorized disclosure of proprietary health information (“PHI”) of approximately 35,000 patients. OCR investigated and fined $ 4.3 million and found that MD Anderson allegedly failed to provide a mechanism for encrypting electronic PHI (“ePHI”) in violation of the HIPAA in the 2011-2013 calendar years (1) Implemented a security rule and (2) did not properly disclose PHI in violation of the HIPAA privacy rule. MD Anderson appealed the sentence to an administrative judge (“ALJ”), who upheld the sentence in June 2018.
MD Anderson then appealed to the U.S. Fifth Circuit Court of Appeals, which conducted a de novo review. The Fifth Circle cleaned up the ALJ’s decision, ruling that OCR’s actions were “arbitrary, capricious and otherwise illegal” for four reasons:
- MD Anderson implemented various mechanisms for encrypting ePHI, including an “IronKey” for encrypting and decrypting mobile devices, a mechanism for encrypting e-mails and various other mechanisms for encryption at the file level as well as the unit covered by the HIPAA security rule ensure that their mechanism provides bulletproof protection for all systems containing ePHI ”;
- The text of the HIPAA Privacy Rule defines disclosure as “releasing, transferring, providing access to, or disclosing information outside of the company in which the information is stored,” and MD Anderson did not approve of PHI and OCR disclosure prove that someone outside of the company received the information;
- OCR has failed to penalize several other covered companies for similar violations, and OCR “did not provide reasonable justification to impose a zero fine on one covered company and a multi-million dollar fine on another”; and
- The penalty amounts were in violation of the HIPAA enforcement rule, which limits all penalties within a calendar year to $ 100,000 for all violations attributable to the reasonable cause of an insured company (a point OCR has recognized and OCR actually requested a reduction the fine of 450,000 USD).
MD Anderson’s decision may encourage other covered companies or business partners to contest civil fines received from OCR. As we wrote in 2019, OCR lowered the annual maximum penalties for most HIPAA violations, although it is unclear whether OCR’s actions were a direct response to the MD Anderson case.
Read the trial here.