Judge Vacates $4.3M OCR Penalty Against MD Anderson Over Data Loss

January 15, 2021 - The US Court of Appeals for the Fifth Circuit has vacated the $4.3 million civil monetary penalty against the University of Texas MD Anderson Cancer Center after two years and several lost appeals. The penalty stemmed from two instances of lost, unencrypted USB drives containing patient data.

The judge ruled the Department of Health and Human Services decision to levy the massive fine against MD Anderson was “arbitrary, capricious, and contrary to law.” And HHS conceded that it could not defend its fine in excess of $450,000.

The highly publicized the Office for Civil Rights settlement stemmed from two data breaches in 2012 and 2013. 

In the first instance, a criminal stole an unencrypted laptop that contained protected health information and research data from a physician’s home in April 2012. The device contained the names, medical records numbers, treatments, research information, and some Social Security numbers, of about 29,201 patients.

Several months later, MD Anderson reported another data loss incident, where a trainee lost an unencrypted portable hard drive on a campus shuttle bus. Another unencrypted USB drive was lost in 2013, which also contained ePHI.

An OCR investigation into the incidents found MD Anderson’s own risk analysis determined that its lack of device-level encryption posed a high risk to the privacy and security of the ePHI in its possession. Despite the risks, OCR alleged MD Anderson did not begin an enterprise-wide adoption of ePHI encryption until 2011.

Further, the entirety of its inventory of electronic devices containing ePHI was not encrypted between March 24, 2011 and January 25, 2013. OCR alleged that these encryption failures led to the ePHI exposure impacting more than 33,000 patients.

OCR further alleged these actions were in direct violation of HIPAA and thus imposed the $4.3 million civil monetary penalty and corrective action plan.

MD Anderson continuously maintained that it was not obligated to encrypt its devices and the ePHI contained on the lost devices was research-based, thus not subject to HIPAA’s nondisclosure requirements. The Texas provider also argued that the HIPAA penalties were unreasonable.

As such, they filed an appeal in two separate courts. In the first case, an HHS Administrative Law judge upheld the HHS decision and ruled that MD Anderson had to pay the penalties for the alleged HIPAA violations.

In previous statements, MD Anderson stressed that in all three incidents, there was no evidence that the affected patient data was viewed or posed any harm to the patients. Officials said they were concerned that “key exhibits and arguments were not considered.”

MD Anderson made a separate appeal, which was also denied and again appealed the decision through the federal court again in April 2019, arguing that the OCR penalty was unlawful as HHS exceeded its authority when it issued a penalty “beyond statutory caps” based on HIPAA rules.

The appeal also argued HHS’ “excessive” penalty violated the Constitution’s eighth amendment. In its defense, MD Anderson stressed that the employees who lost the devices were in direct violation of the provider’s policies and procedures when they failed to employ the encryption tech used by MD Anderson. And encryption is not a requirement under HIPAA, but an optional standard.

A judge has upheld MD Anderson’s claim, as “the government conceded it could not defend its penalty and asked us to reduce it by a factor of 10 to $450,000.”

“The principal argument in M.D. Anderson’s petition is that a state agency is not a ‘person’ covered by HIPAA’s enforcement provision,” according to the ruling. “For the sake of today’s decision, we assume that MD Anderson is such a person and that the enforcement provision therefore applies.” 

“The petition for review nonetheless must be granted for an independent reason: the CMP violates the Administrative Procedure Act,” it added. “The APA directs us to 'hold unlawful and set aside' agency actions that are ‘arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.’ To that end, we must ‘insist that an agency examine the relevant data and articulate a satisfactory explanation for its action.’”

The judge went on to explain that HHS “steadfastly refused to interpret the statutes at all.”

The initial HHS administrative law judge refused to consider whether the penalty was arbitrary or capricious, with the HHS Appeals board upholding the opinion that they had no power to review HHS penalties, according to the ruling.

As such, MD Anderson’s regulatory arguments are de novo, and the judge ruled that there are at least four independent reasons that the OCR penalty was arbitrary, capricious, and otherwise unlawful.

“The Government’s principal response is that it will be difficult for HHS to enforce the disclosure rule if it must show that ePHI was disclosed to someone, and harder still if it must show that ePHI was disclosed ‘outside’ of the covered entity,” according to the ruling.

“Maybe so, maybe not. But that’s precisely the sort of policy argument that HHS could vet in a rulemaking proceeding,” it added.”It’s not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.”

The case could set a precedent for other healthcare covered entities attempting to overturn a civil monetary penalty.

Notably, HHS OCR did move to reduce the annual limit of civil penalties applied to HIPAA violations for three of its four penalty tiers in April 2019, very shortly after MD Anderson filed its third appeal.

“Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits as… $25,000 for no knowledge, $100,000 for reasonable cause, $250,000 for corrected willful neglect, and $1.5 million for uncorrected willful neglect,” OCR Director Roger Severino wrote, at the time. “HHS will use this penalty tier structure, as adjusted for inflation, until further notice.”