Skip to main content
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Digital Health
    • Transformation
    • ESG
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Opinion
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • Data Center
    • Data Center Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • Newsletters
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Legal
January 15, 2021 01:17 PM

MD Anderson wins appeal over $4.3M HIPAA penalty

Jessica Kim Cohen
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Modern Healthcare Illustration / Getty Images

    University of Texas MD Anderson Cancer Center will not have to pay a $4.3 million fine to HHS after a federal appeals court vacated the penalty Thursday, writing that the government had offered "no lawful basis" for the multimillion-dollar civil monetary penalty.

    Houston-based MD Anderson in 2019 filed a petition with 5th U.S. Circuit Court of Appeals to review the fine, which HHS' Office for Civil Rights doled out in 2018 to settle alleged HIPAA violations tied to three separate data breaches. The trio of breaches took place in 2012 and 2013, involving loss and theft of an unencrypted laptop and two unencrypted flash drives.

    Altogether, the devices contained data on about 33,800 patients.

    At the time, the $4.3 million penalty marked the fourth largest HIPAA-related settlement from OCR, with agency officials arguing the breaches highlighted MD Anderson's alleged failure to implement encryption policies required under HIPAA that would have protected the data.

    But after MD Anderson filed its petition for review with the Fifth Circuit, HHS "conceded that it could not defend its penalty," according to an opinion from Circuit Judge Andrew S. Oldham. The department asked the court to reduce the fine by a factor of 10 to $450,000.

    HHS did not immediately respond to a request for comment.

    The Fifth Circuit ruled that under HIPAA a covered entity must "implement a mechanism to encrypt and decrypt electronic protected health information"—which MD Anderson achieved through employee policies and training. MD Anderson still gets credit for those policies even though the employees involved in the data breaches allegedly didn't follow them, Oldham wrote.

    "MD Anderson undisputedly had 'a mechanism,' even if it could've or should've had a better one," he wrote. "So MD Anderson satisfied HHS's regulatory requirement, even if the government now wishes it had written a different one."

    The court also determined that HHS had misapplied HIPAA's disclosure rule and neglected to follow per-year penalty caps for the violations as outlined by Congress.

    The case has been remanded to a lower court for further proceedings.

    It's not the first time MD Anderson pushed back against the HIPAA penalty.

    An HHS administrative law judge in 2018 upheld HHS' decision to fine MD Anderson $4.3 million, writing that MD Anderson's "dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure" of digital protected health information after OCR and MD Anderson both moved for summary judgment.

    In 2019, HHS' departmental appeals board affirmed the administrative law judge's decision.

    "Our purpose throughout this legal process has been to bring transparency, accountability and consistency to the Office for Civil Rights' enforcement process," an MD Anderson spokesperson wrote in an emailed statement Friday. "We are committed to respecting HIPAA and the rules of protecting patient information, and we continually evaluate and enhance our data protection and privacy procedures."

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Medicaid waivers
    Supreme Court rules Medicaid enrollees can sue states
    legal money settlement.png
    Aetna, Optum to face revived 'dummy code' lawsuit
    Most Popular
    1
    More healthcare organizations at risk of credit default, Moody's says
    2
    Centene fills out senior executive team with new president, COO
    3
    SCAN, CareOregon plan to merge into the HealthRight Group
    4
    Blue Cross Blue Shield of Michigan unveils big push that lets physicians take on risk, reap rewards
    5
    Bright Health weighs reverse stock split as delisting looms
    Sponsored Content
    Daily Dose Newsletter: Sign up to receive a late afternoon weekday roundup of that day’s breaking news and developments in healthcare.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Digital Health
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • ESG
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Opinion
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • Data Center
      • Data Center Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • Newsletters
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Jobs
      • People on the Move
      • Reprints & Licensing