Fifth Circuit Overturns “Arbitrary and Capricious” $4.3 Million HIPAA Penalty Against Hospital

Robinson+Cole Health Law Diagnosis
Contact

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.348 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).

In its decision, a Fifth Circuit panel unanimously determined that the penalty “was arbitrary, capricious and otherwise unlawful” for four reasons: (1) HIPAA’s encryption requirements are “addressable” and require covered entities to implement a mechanism to encrypt and decrypt electronic PHI, and the hospital did implement such a mechanism “even if it could’ve or should’ve been a better one;” (2) the Fifth Circuit disputed that the hospital actually “disclosed” PHI in violation of HIPAA as a result of the lost unencrypted devices containing ePHI, because the government could not demonstrate that the hospital actually undertook an affirmative act to disclose the information, or that someone outside of the entity actually received it; (3) the government did not pursue similar penalties against other similarly-situated covered entities, in violation of longstanding administrative law principles obligating agencies to treat analogous cases similarly; and (4) the government misinterpreted the applicable standard for the penalties assessed, thus imposing a significantly higher penalty than was permitted under HIPAA (an issue HHS conceded as part of the Fifth Circuit’s review in this case).

The Fifth Circuit thus concluded that the government had offered “no lawful basis” for the penalties assessed against the Hospital, and therefore the court vacated the penalties and remanded the case for further proceedings. It remains to be seen whether HHS will now drop the case against the Hospital entirely, or seek to impose reduced penalties in accordance with the Fifth Circuit analysis. Regardless, the Hospital’s successful appeal and this decision provide an interesting roadmap for other covered entities facing HIPAA enforcement actions that might consider challenging the basis for, or amounts of, penalties assessed by HHS.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. 

[View source.]

Written by:

Robinson+Cole Health Law Diagnosis
Contact
more
less

Robinson+Cole Health Law Diagnosis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.