Fifth Circuit Vacates HIPAA Penalty Against M.D. Anderson

Related Practices

Related Industries

Attorneys & Professionals

In a January 14, 2021 ruling, the U.S. Court of Appeals for the Fifth Circuit (“Fifth Circuit”) vacated a $4.3 million Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) fine against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”), finding the penalty "arbitrary, capricious and contrary to law." This decision vacates the ALJ decision affirming HHS’s imposition of the civil monetary penalty (“CMP”) against M.D. Anderson following a loss and theft of unencrypted devices containing patient data.

In June 2018, the U.S. Department of Health and Human Services (“HHS”) imposed a CMP in the amount of $4.3 million against M.D. Anderson after completing an investigation of three data breaches involving the theft of an unencrypted laptop and the loss of two unencrypted flash drives between 2012 and 2013. The laptop and flash drives collectively contained the electronic protected health information (“ePHI”) of approximately 35,000 patients. HHS found that M.D. Anderson failed to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and allowed for the unauthorized disclosure of ePHI. HHS also determined that M.D. Anderson had “reasonable cause” to know that it had violated HIPAA.

M.D. Anderson unsuccessfully contested the penalty through two levels of administrative appeals before petitioning the Fifth Circuit in April 2019. M.D. Anderson argued both that the penalty was excessive, and HHS, a federal agency, did not have the authority to impose civil monetary penalties against M.D. Anderson, a state agency.

The Fifth Circuit held that the CMP violated the Administrative Procedure Act because HHS’s actions were “arbitrary, capricious, and otherwise unlawful” for four reasons:

  1. M.D. Anderson had in fact implemented various mechanisms to encrypt ePHI, including an “IronKey” to encrypt and decrypt mobile devices along with employee training on how to use it, a mechanism to encrypt emails and various other mechanisms for file-level encryption.  While HHS argued that M.D. Anderson should have done more, the Court found that the HIPAA Security Rule merely requires “a mechanism” and does not require “bulletproof protection of all systems containing ePHI”;
  2. The text of the HIPAA Privacy Rule defines a disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information,” and M.D. Anderson did not affirmatively act to disclose PHI and HHS did not prove that someone outside the entity received the information;
  3. The CMP violated the bedrock principal of administrative law that an agency, such as HHS, must “treat like cases alike.” Unlike the multi-million dollar penalty imposed upon M.D. Anderson by HHS, the Fifth Circuit found that several other covered entities had similar breaches and faced zero financial penalties, for which HHS “offered no reasoned justification”; and
  4. The penalty amounts contradicted the HIPAA Enforcement Rule, which limits all penalties within a calendar year for all violations that were attributable to a covered entity’s reasonable cause to $100,000.

After M.D. Anderson filed its petition with the Fifth Circuit, HHS conceded it could not defend a fine for the breaches of more than $450,000. The Fifth Circuit vacated the civil monetary penalties and remanded the case for further proceedings consistent with the opinion.


If you have questions, please contact Lisa Pierce Reisz, Liam Gruzs, Jonathan Ishee, Nita Garg, or your regular Vorys attorney.