On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit vacated a penalty imposed by the U.S. Office of Civil Rights (“OCR”) on the University of Texas M.D. Anderson Cancer Center (“MD Anderson”). The Court’s opinion could mark a significant reduction in the authority and discretion of OCR and tip the balance in favor of covered entities and business associates facing investigations and potential sanctions for alleged HIPAA violations.
The case arose from three separate but similar incidents occurring in 2012 and 2013, each involving the loss of an electronic device containing unencrypted electronic protected health information. In total, information involved in the loss related to approximately 34,000 individuals, and while M.D. Anderson had provided its employees with access to encryption technology, the technology had not been employed in these three instances.
In 2017, OCR’s investigation into the incidents found that M.D. Anderson had failed to implement a mechanism to encrypt the protected health information in compliance with its own written encryption policies and in response to its risk analyses that had found that the lack of device-level encryption posed a high risk to the security of protected health information. OCR imposed daily penalties for each day that the data had not been encrypted (finding separate daily violations) of $1.348 million, a penalty of $1.5 million for the violation of the disclosure rule in 2012 and $1.5 million for disclosure rule violations in 2013, for a total of $4.348 million. An administrative law judge (“ALJ”) upheld the penalties, as did the HHS Departmental Appeals Board. M.D. Anderson appealed.
After M.D. Anderson filed its appeal, OCR on its own initiative reduced the penalty to $450,000. The United States Court of Appeals for the Fifth Circuit, who undertook a de novo review, determined that even the reduced penalty was improper under the federal Administrative Procedures Act and vacated the ALJ’s ruling. The Court made four key findings:
The Court’s ruling in M.D. Anderson is significant for covered entities and business associates because the ruling supports that: (1) a failure to encrypt protected health information on a particular device or devices will not prove a violation of the encryption standard if encryption technology is made generally available to members of the workforce, even if some members of the workforce do not use the offered technology; (2) lost information should not be considered “disclosed data” absent proof that an unauthorized person actually obtained the information; (3) OCR must now justify penalties imposed in relationship to penalties or settlements in like cases; and (4) OCR’s ability to access multimillion dollar penalties in cases that do not involve willful neglect has been reduced. It remains to be seen whether the Fifth Circuit’s reasoning will be adopted by other circuit courts when evaluating HIPAA violations. Nevertheless, this is a notable victory for covered entities and should lead to a more reasoned enforcement process going forward.
Sign up for our newsletter and get the latest to your inbox.