University of Texas MD Anderson Cancer Center will not have to pay a $4.3 million fine to HHS after a federal appeals court vacated the penalty Thursday, writing that the government had offered "no lawful basis" for the multimillion-dollar civil monetary penalty.
Houston-based MD Anderson in 2019 filed a petition with 5th U.S. Circuit Court of Appeals to review the fine, which HHS' Office for Civil Rights doled out in 2018 to settle alleged HIPAA violations tied to three separate data breaches. The trio of breaches took place in 2012 and 2013, involving loss and theft of an unencrypted laptop and two unencrypted flash drives.
Altogether, the devices contained data on about 33,800 patients.
At the time, the $4.3 million penalty marked the fourth largest HIPAA-related settlement from OCR, with agency officials arguing the breaches highlighted MD Anderson's alleged failure to implement encryption policies required under HIPAA that would have protected the data.
But after MD Anderson filed its petition for review with the Fifth Circuit, HHS "conceded that it could not defend its penalty," according to an opinion from Circuit Judge Andrew S. Oldham. The department asked the court to reduce the fine by a factor of 10 to $450,000.
HHS did not immediately respond to a request for comment.
The Fifth Circuit ruled that under HIPAA a covered entity must "implement a mechanism to encrypt and decrypt electronic protected health information"—which MD Anderson achieved through employee policies and training. MD Anderson still gets credit for those policies even though the employees involved in the data breaches allegedly didn't follow them, Oldham wrote.
"MD Anderson undisputedly had 'a mechanism,' even if it could've or should've had a better one," he wrote. "So MD Anderson satisfied HHS's regulatory requirement, even if the government now wishes it had written a different one."
The court also determined that HHS had misapplied HIPAA's disclosure rule and neglected to follow per-year penalty caps for the violations as outlined by Congress.
The case has been remanded to a lower court for further proceedings.
It's not the first time MD Anderson pushed back against the HIPAA penalty.
An HHS administrative law judge in 2018 upheld HHS' decision to fine MD Anderson $4.3 million, writing that MD Anderson's "dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure" of digital protected health information after OCR and MD Anderson both moved for summary judgment.
In 2019, HHS' departmental appeals board affirmed the administrative law judge's decision.
"Our purpose throughout this legal process has been to bring transparency, accountability and consistency to the Office for Civil Rights' enforcement process," an MD Anderson spokesperson wrote in an emailed statement Friday. "We are committed to respecting HIPAA and the rules of protecting patient information, and we continually evaluate and enhance our data protection and privacy procedures."