A Recent Fifth Circuit Court Decision May Elevate HIPAA Enforcement Hurdles

On January 16, 2021, a Fifth Circuit Court decision in University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services vacated a $4.3 million penalty imposed by the Department of Health and Human Services (HHS) against M.D. Anderson for alleged HIPAA violations, finding that the penalty was “arbitrary, capricious, and otherwise unlawful.”

Background

M.D. Anderson disclosed to HHS that it had suffered three separate data breaches in 2012 and 2013 involving the theft of a laptop and two lost thumb drives. Each device contained unencrypted electronic protected health information (ePHI). After an investigation, HHS determined that M.D. Anderson had failed to meet its obligations under both the HIPAA Security Rule and the HIPAA Privacy Rule and imposed a civil monetary penalty of $4.3 million. M.D. Anderson subsequently lost two levels of administrative appeals before appealing the ruling to the U.S. Court of Appeals for the Fifth Circuit.

The Decision

In vacating the prior ruling, the Fifth Circuit determined that HHS had violated the Administrative Procedure Act (APA) for four reasons:

  1. Reviewing the text of the HIPAA Security Rule, the court noted that the Rule “does not require a covered entity to warrant that its mechanism provides bulletproof protection of all systems containing ePHI.” M.D. Anderson did have encryption mechanisms in place to encrypt ePHI and a policy in place requiring portable devices to be encrypted. Although the M.D. Anderson employees failed to use the encryption mechanisms on the three devices, the court said that this alone was not a violation of the Security Rule.
  2. Under the HIPAA Privacy Rule, a disclosure is defined as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” The court found that disclosure is an affirmative act and that M.D. Anderson did not affirmatively act to release ePHI.
  3. Similar breaches by other covered entities did not result in any financial penalties by HHS, leading the court to determine that this selective enforcement violated the “bedrock principle of administrative law that an agency must ‘treat like cases alike.’”
  4. The penalty assessed by HHS violates the HIPAA Enforcement Rule, where the statutory caps for penalties attributable to “reasonable cause” rather than “willful neglect” is $100,000 for all violations within a calendar year. (HHS conceded its misinterpretation of statutory caps and had already reduced M.D. Anderson’s penalty to $450,000.)

As a result of this decision, more entities may choose to more aggressively challenge HHS’ civil monetary penalties, even though HHS has already reduced the maximum annual penalties for a majority of HIPAA violations.

HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 678-439-6236.

The following two tabs change content below.

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)