January 26, 2022

Volume XII, Number 26


January 25, 2022

Subscribe to Latest Legal News and Analysis

January 24, 2022

Subscribe to Latest Legal News and Analysis

Appeals Court Vacates HIPAA Penalty Imposed Against M.D. Anderson

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit vacated the civil monetary penalty (CMP) imposed by the Department of Health and Human Services (HHS)  against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) in 2017. The court stated that HHS “offered no lawful basis for its civil monetary penalties against M.D. Anderson” and HHS’ “decision was arbitrary, capricious, and contrary to law.”

History of the Case

Between 2012 and 2013, M.D. Anderson notified HHS of three separate HIPAA breaches, all involving lost or stolen mobile devices, affecting the electronic protected health information (ePHI) of approximately 35k patients. After conducting an investigation, HHS imposed a civil monetary penalty (CMP) of $4,348,000 on M.D. Anderson.

HHS had found that M.D. Anderson violated federal laws requiring HIPAA regulated entities to “[i]mplement a mechanism to encrypt” ePHI or adopt another “reasonable and appropriate” method to limit access to patient data and prohibit the unpermitted disclosure of PHI. See 45 C.F.R. §§ 164.306164.312(a)(iv)164.502(a). HHS also determined that M.D. Anderson had “reasonable cause” to know it had violated such laws. HHS assessed daily penalties totaling $1,348,000 for the encryption violations, $1,500,000 for the unpermitted disclosure of ePHI in 2012, and $1,500,000 for the unpermitted disclosure of ePHI in 2013, for the resulting $4,348,000 CMP.

M.D. Anderson unsuccessfully appealed the CMP through two levels of administrative appeals at the HHS Departmental Appeals Board (first to an Administrative Law Judge (ALJ) and then to the Appellate Division of the HHS Departmental Appeals Board). The ALJ, in the first administrative appeal in 2018, refused to consider whether the CMP was arbitrary or capricious, despite M.D. Anderson’s argument that the CMP imposed on other HIPAA-regulated entities in instances of loss of PHI were far more lenient than the CMP imposed on M.D. Anderson. The ALJ had stated “I do not evaluate penalties based on a comparative standard. There is nothing in the regulations that suggests that I do so.” The Appellate Division of the HHS Departmental Appeals Board in 2019 issued an opinion agreeing with the ALJ’s determination.

M.D. Anderson then petitioned the Fifth Circuit for review. HHS conceded that it could not defend the $4,348,000 CMP after M.D. Anderson filed its petition to the Fifth Circuit and asked to reduce the CMP to $450,000.

Court’s Decision to Vacate the CMP

The Fifth Circuit found that the CMP imposed on M.D. Anderson violates the Administrative Procedure Act as it was arbitrary, capricious, and otherwise unlawful for at least four reasons:

  1. M.D. Anderson had implemented “a mechanism” to encrypt ePHI as is required by HIPAA

    M.D. Anderson policy required portable computing devices containing ePHI to be encrypted, M.D. Anderson provided employees with encryption technology, and trained employees on how to use it. M.D. Anderson encrypted emails and had various mechanisms for file-level encryption. The court found that M.D. Anderson’s internal documents showing that M.D. Anderson wanted to strengthen its mechanisms for protecting ePHI, and that the three stolen or lost devices were unencrypted did not mean M.D. Anderson failed to implement “a mechanism” to encrypt any ePHI. The court wrote, “The regulation simply says ‘a mechanism.’ M.D. Anderson undisputedly had ‘a mechanism,’ even if it could’ve or should’ve had a better one. So M.D. Anderson satisfied HHS’ regulatory requirement, even if the Government now wishes it had written a different one.”

  2. HHS cannot prove M.D. Anderson “disclosed” ePHI without proving that someone outside M.D. Anderson received it

    The court wrote that the ALJ concluded a covered entity violates HIPAA whenever the covered entity loses control of ePHI, regardless of whether that ePHI is accessed by a person outside of the covered entity. The court found “[t]hat is not how HHS defined ‘disclosure’ in the regulations” and therefore HHS “may not define it that way in an adjudication.”

  3. Like cases must be treated alike

    M.D. Anderson had provided examples of covered entities that have lost unencrypted mobile devices where HHS had not imposed any CMP on the covered entity. HHS’ response was that HHS evaluates each case on its individual facts. The court stated, “an administrative agency cannot hide behind the fact-intensive nature of penalty adjudications to ignore irrational distinctions between like cases . . . [w]ere it otherwise, an agency could give free passes to its friends and hammer its enemies—while also maintaining that its decisions are judicially unreviewable because each case is unique.”

  4. HHS misinterpreted the per-year caps for identical violations under the statute

    The ALJ and Appellate Division of the HHS Departmental Appeals Board had agreed with HHS’ interpretation that the per-year cap for identical violations was $1,500,000. However, the court stated that Congress had provided that the per-year cap for “reasonable cause” violations under the applicable statute is $100,000 – not $1,500,000. 42 U.S.C. § 1320d-5(a)(3)(B). The court also noted that HHS issued a “Notice of Enforcement Discretion Regarding HIPAA Civil Money Penalties” two months after the Appellate Division’s decision on the M.D. Anderson penalty. In that Notice, HHS essentially admitted that it had been misinterpreting the statutory caps and stated the per-year cap for identical “reasonable cause” violations is $100,000. Further, the court stated that the ALJ ignored HIPAA’s own factors when assessing the CMP under 45 C.F.R. § 160.408(b), such as whether the violation caused physical, financial, or reputational harm or hindered an individual’s ability to obtain health care.


Individuals that practice in this space have long stated it is virtually impossible to predict the penalties HHS will impose subsequent to a data breach and resulting HHS investigation. The CMPs imposed have ranged from a few thousand dollars up to $16 million to date. In addition, HHS has issued CMPs against a relatively small number of covered entities and business associates in comparison to the number of breaches affecting 500 or more individuals reported to HHS, a list of which is publically available here.

Although it was ultimately a successful outcome for M.D. Anderson, it took the organization four years and no doubt numerous resources to reach this conclusion. And note that technically the case is not over – the court remanded the case for further proceedings consistent with the court’s opinion. One potential implication of this case is that HHS will revisit its historical practices in imposing CMPs so that the process is more transparent and organizations are better able to predict – or at least understand – the penalties that may await subsequent to a data breach. Additionally, as a result of the court’s decision, more organizations may choose to challenge HHS’ imposition of CMPs resulting from future investigations. In today’s world of widespread cyberattacks affecting health care organizations, HHS needs to ensure it is striking an appropriate middle ground between protecting patient data while not unfairly penalizing these organizations, most of which are not bad actors and have taken many precautions from a policy and security perspective to prevent such cyberattacks. In fact, earlier this month the Health Information Technology for Economic and Clinical Health (HITECH) Act was amended to require HHS to take into account whether a covered entity or business associate has certain recognized security practices in place when making determinations regarding enforcement and regulatory actions.

© 2022 Foley & Lardner LLPNational Law Review, Volume XI, Number 29

About this Author

Jennifer L. Urban Data Security Attorney Foley & Lardner Milwaukee, WI

Jennifer L. Urban (formerly Rathburn) is a partner with Foley & Lardner LLP. Jennifer focuses her practice on counseling clients on data protection programs, data incident management, breach response and recovery, monetization of data and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational and legal issues companies must address to maintain the confidentiality of, access toand integrity of their data.

As a member of the firm’s Technology Transactions & Outsourcing...

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

Aaron T. Maguregui Health Care Attorney Foley & Lardner Tampa, FL
Special Counsel

Aaron Maguregui is a health care lawyer and member of the firm’s Privacy, Security & Information Management Practice, and national Telemedicine & Digital Health Industry Team. He advises innovative health care and technology companies to solve complex compliance, cybersecurity, data governance, data privacy, and risk management matters. Working with leading health care insurers, government-sponsored managed care organizations, health care providers, and technology companies, he delivers pragmatic legal advice and action-oriented solutions guidance to help clients reach their goals...