Will HHS’ approach for imposing penalties in the aftermath of a data breach become a little clearer in 2021? This is a distinct possibility in the wake of a Fifth Circuit decision vacating penalties against MD Anderson Cancer Center. The hospital suffered three data breaches, leading HHS to impose over $4 million in civil penalties. That fine was reversed recently by the Fifth Circuit as arbitrary, capricious, and contrary to law.

MD Anderson first reported to HHS a lost unencrypted laptop that contained ePHI of 29,021 individuals in 2012. It also misplaced two unencrypted USB thumb drives in 2012 and 2013, the first had ePHI of over 2,000 individuals, and the other had ePHI of nearly 3,600 individuals. On February 8, 2019, following HHS’s inquiry and investigation, an HHS Appeals Board affirmed an Administrative Law Judge’s decision sustaining HHS’s civil monetary penalties for the company’s alleged (i) failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and for (ii) unauthorized disclosure of protected health information in violation of HIPAA and the HITECH Act.

According to the Fifth Circuit, the HHS ruling on the company’s encryption measures was incorrect. The Security Rule does not address the effectiveness of an encryption mechanism, only that a covered entity must implement an encryption mechanism or adopt an alternative and equivalent method to protect ePHI. While these particular devices in question were not encrypted, MD Anderson did have an encryption mechanism in place. Thus, the court found that MD Anderson did meet the Security Rule’s encryption requirement. On the ruling regarding the disclosure of ePHI, the Fifth Circuit held that HHS had failed to establish that MD Anderson disclosed ePHI to someone outside of the covered entity. The court clarified that under HIPAA’s definition of disclosure, a disclosure required an affirmative act to disclose information and that HHS must prove that the information was actually disclosed to someone outside of the covered entity.

The court found that the penalty imposed by HHS was arbitrary and capricious because it enforced the civil monetary penalty rules against some entities and not others. As an example, the court pointed to another hospital that also lost an unencrypted laptop containing ePHI of more than 33,000 patients, which HHS investigated and imposed no penalty at all. Finally, the court was concerned that HHS had misinterpreted the per-year cap at $1,500,000 when, the Fifth Circuit stated, it is really $100,000. HHS had previously admitted it had misinterpreted the statute back in 2019.

Putting it Into Practice: This decision may result in more consistency in penalties and decisions imposed by HHS after companies report data breach incidents to the agency.