Last week the 5th Circuit Court of Appeals vacated a 2017 DoHHS $4.3M civil monetary penalty (CMP) against the University of Texas M.D. Anderson Cancer Center (MD Anderson). We are unaware of a precedent ahead of this case but blogged that MD Anderson was appealing the CMP in April of 2019 after losing an administrative law judge appeal in June of 2018.
The Office of Civil Rights (OCR) found that MD Anderson had been negligent losing three unencrypted devices containing more than 35,000 patients, while MD Anderson reportedly argued that the "addressable" encryption citations were "optional". At the time, we couldn't believe that a Covered Entity would make such an argument when DoHHS spells out what "addressable" means in plain English.
The Court found that OCR's decision was “arbitrary, capricious, and otherwise unlawful”. It reported that MD Anderson did have encryption technologies deployed. The Court also noted that OCR failed to consistently hold other HIPAA-bound entities accountable, offering “no reasoned justification for imposing zero penalty on one covered entity and a multi-million-dollar penalty on another”. Lastly, it was determined that OCR contradicted the HIPAA Enforcement Rule when calculating MD Anderson's penalty.
It's important to realize that neither we nor our readers were in the courtroom during this entire process and it's hard to speculate what this means for future OCR CMPs. In the meantime, we recommend documenting a compliance program that makes meaningful actions to protect patient information and avoid courtrooms altogether.
A link to the Court of Appeals for the Fifth Circuit decision is embedded in the graphic below.
Stay (HIPAA) safe, Alan -