August 4, 2021

Volume XI, Number 216


August 03, 2021

Subscribe to Latest Legal News and Analysis

August 02, 2021

Subscribe to Latest Legal News and Analysis

What Does the Fifth Circuit’s Vacating of HHS HIPAA Fines Mean for Companies This Year?

Will HHS’ approach for imposing penalties in the aftermath of a data breach become a little clearer in 2021? This is a distinct possibility in the wake of a Fifth Circuit decision vacating penalties against MD Anderson Cancer Center. The hospital suffered three data breaches, leading HHS to impose over $4 million in civil penalties. That fine was reversed recently by the Fifth Circuit as arbitrary, capricious, and contrary to law.

MD Anderson first reported to HHS a lost unencrypted laptop that contained ePHI of 29,021 individuals in 2012. It also misplaced two unencrypted USB thumb drives in 2012 and 2013, the first had ePHI of over 2,000 individuals, and the other had ePHI of nearly 3,600 individuals. On February 8, 2019, following HHS’s inquiry and investigation, an HHS Appeals Board affirmed an Administrative Law Judge’s decision sustaining HHS’s civil monetary penalties for the company’s alleged (i) failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and for (ii) unauthorized disclosure of protected health information in violation of HIPAA and the HITECH Act.

According to the Fifth Circuit, the HHS ruling on the company’s encryption measures was incorrect. The Security Rule does not address the effectiveness of an encryption mechanism, only that a covered entity must implement an encryption mechanism or adopt an alternative and equivalent method to protect ePHI. While these particular devices in question were not encrypted, MD Anderson did have an encryption mechanism in place. Thus, the court found that MD Anderson did meet the Security Rule’s encryption requirement. On the ruling regarding the disclosure of ePHI, the Fifth Circuit held that HHS had failed to establish that MD Anderson disclosed ePHI to someone outside of the covered entity. The court clarified that under HIPAA’s definition of disclosure, a disclosure required an affirmative act to disclose information and that HHS must prove that the information was actually disclosed to someone outside of the covered entity.

The court found that the penalty imposed by HHS was arbitrary and capricious because it enforced the civil monetary penalty rules against some entities and not others. As an example, the court pointed to another hospital that also lost an unencrypted laptop containing ePHI of more than 33,000 patients, which HHS investigated and imposed no penalty at all. Finally, the court was concerned that HHS had misinterpreted the per-year cap at $1,500,000 when, the Fifth Circuit stated, it is really $100,000. HHS had previously admitted it had misinterpreted the statute back in 2019.

Putting it Into Practice: This decision may result in more consistency in penalties and decisions imposed by HHS after companies report data breach incidents to the agency.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 39

About this Author

Elfin Noce Business Trial Attorney

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.


  • Litigation


  • Communications


  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000


  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...


Susan Ingargiola is an associate in the Corporate Practice Group in the firm's New York office.

Areas of Practice

Susan advises healthcare organizations, including hospitals, health systems, insurers, community health centers, health information exchange organizations, pharmaceutical and biotechnology companies, and mobile app developers on health information privacy issues, including compliance with HIPAA and state medical record confidentiality laws, as well as other compliance- related matters. She conducts regulatory diligence in connection with...