March 1, 2021

Volume XI, Number 60

Advertisement

March 01, 2021

Subscribe to Latest Legal News and Analysis

February 26, 2021

Subscribe to Latest Legal News and Analysis

Fifth Circuit Overturns “Arbitrary and Capricious” $4.3 Million HIPAA Penalty Against Hospital

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.38 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).

In its decision, a Fifth Circuit panel unanimously determined that the penalty “was arbitrary, capricious and otherwise unlawful” for four reasons: (1) HIPAA’s encryption requirements are “addressable” and require covered entities to implement a mechanism to encrypt and decrypt electronic PHI, and the hospital did implement such a mechanism “even if it could’ve or should’ve been a better one;” (2) the Fifth Circuit disputed that the hospital actually “disclosed” PHI in violation of HIPAA as a result of the lost unencrypted devices containing ePHI, because the government could not demonstrate that the hospital actually undertook an affirmative act to disclose the information, or that someone outside of the entity actually received it; (3) the government did not pursue similar penalties against other similarly-situated covered entities, in violation of longstanding administrative law principles obligating agencies to treat analogous cases similarly; and (4) the government misinterpreted the applicable standard for the penalties assessed, thus imposing a significantly higher penalty than was permitted under HIPAA (an issue HHS conceded as part of the Fifth Circuit’s review in this case).

The Fifth Circuit thus concluded that the government had offered “no lawful basis” for the penalties assessed against the Hospital, and therefore the court vacated the penalties and remanded the case for further proceedings. It remains to be seen whether HHS will now drop the case against the Hospital entirely, or seek to impose reduced penalties in accordance with the Fifth Circuit analysis. Regardless, the Hospital’s successful appeal and this decision provide an interesting roadmap for other covered entities facing HIPAA enforcement actions that might consider challenging the basis for, or amounts of, penalties assessed by HHS.

 

Advertisement
Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XI, Number 21
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Conor Duffy Cybersecurity Attorney
Associate

Conor Duffy is a member of the firm's Health Law Group and its Data Privacy + Cybersecurity Team. He advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health law issues. He also counsels clients on what measures are needed to safeguard data and patient information.

Regulatory

Conor provides legal counsel to health care clients on various regulatory matters, such as Medicare and Medicaid program compliance, federal fraud and abuse laws, and the Emergency Medical Treatment & Labor Act...

860.275.8342
Advertisement
Advertisement