The Fifth Circuit Court of Appeals has overturned a $4.3 million fine on MD Anderson Cancer Center. The fine was originally levied by the US Department of Health and Human Services (HSS) in 2018 for HIPAA violations. HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996 that governs patient privacy.
The fine arose out of three incidents that occurred in 2012 and 2013
- A laptop of a faculty member was stolen. It was not password-protected or encrypted but contained electronic protected health information (ePHI) for 29,021 individuals.
- An MD Anderson trainee lost an unencrypted USB thumb drive during her evening commute. This contained ePHI for over 2,000 individuals.
- A visiting researcher misplaced another unencrypted USB thumb drive, containing ePHI for nearly 3,600 individuals.
MD Anderson disclosed these incidents to HSS who determined that MD Anderson had violated two federal regulations One was the failure to encrypt information covered by HIPAA, the other was unpermitted disclosure of protected health information.
HSS also determined that MD Anderson had ‘reasonable cause’ to know that it had violated the rules. The Administrative Law Judge imposed a fine of $2,000 for each day it wasn’t compliant between 24 March 2011 and 25 January 2013 as well as a $1.5 million fine each year for its
noncompliance in both 2012 and 2013. The total fine was $4.3 million.
Law interpreted incorrectly
After MD Anderson appealed to the Fifth Circuit Court of Appeals, the government conceded that the maximum fine it could impose was $450,000. Instead the Appeals Court quashed the fine as being arbitrary, capricious and otherwise unlawful. They ruled that the Judge had not interpreted the law correctly in the following ways;
- The HIPAA Act states that entities must have a mechanism to encrypt ePHI. MD Anderson gave its employees an ‘IronKey’ to encrypt and decrypt data and trained employees on how to use it. The Appeals Court ruled that was a ‘mechanism’, even if three employees failed to follow it.
- Under the terms of regulation HSS wrote, disclosure of protected health information was defined as ‘release, transfer, provide and divulge’. In other words, an active participant not a passive loss of information. Also, the HSS could not prove that that someone outside MD Anderson actually received the protected information.
- The judge did not consider other cases involving similar breaches of HIPAA. For instance, a Cedars-Sinai employee lost an unencrypted laptop containing 33,000 patient records. No penalty was imposed in that case.
- Congress stated that for ‘reasonable cause’ violations, the maximum fine was $100,000 per year. Fines for ‘willful neglect’ can be $1,500,000 per year. However the judge had determined that the violations in this case were not the result of willful neglect.