On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.348 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).

In its decision, a Fifth Circuit panel unanimously determined that the penalty “was arbitrary, capricious and otherwise unlawful” for four reasons: (1) HIPAA’s encryption requirements are “addressable” and require covered entities to implement a mechanism to encrypt and decrypt electronic PHI, and the hospital did implement such a mechanism “even if it could’ve or should’ve been a better one;” (2) the Fifth Circuit disputed that the hospital actually “disclosed” PHI in violation of HIPAA as a result of the lost unencrypted devices containing ePHI, because the government could not demonstrate that the hospital actually undertook an affirmative act to disclose the information, or that someone outside of the entity actually received it; (3) the government did not pursue similar penalties against other similarly-situated covered entities, in violation of longstanding administrative law principles obligating agencies to treat analogous cases similarly; and (4) the government misinterpreted the applicable standard for the penalties assessed, thus imposing a significantly higher penalty than was permitted under HIPAA (an issue HHS conceded as part of the Fifth Circuit’s review in this case).

The Fifth Circuit thus concluded that the government had offered “no lawful basis” for the penalties assessed against the Hospital, and therefore the court vacated the penalties and remanded the case for further proceedings. It remains to be seen whether HHS will now drop the case against the Hospital entirely, or seek to impose reduced penalties in accordance with the Fifth Circuit analysis. Regardless, the Hospital’s successful appeal and this decision provide an interesting roadmap for other covered entities facing HIPAA enforcement actions that might consider challenging the basis for, or amounts of, penalties assessed by HHS.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.