Although the HIPAA violations case is far from Michigan, it has ramifications for hospitals around the nation. The U.S. Court of Appeals for the Fifth Circuit recently overturned a $4.38 million fine imposed by the Department of Health & Human Services (HHS) on the University of Texas M.D. Anderson Cancer Center.
The genesis of the case was in the hospital’s voluntary disclosure of three instances of lost or stolen portable devices that contained electronic protected health information (ePHI). An HHS investigation found that the devices had not been encrypted. Because the devices weren’t encrypted to protect the ePHI contained on them, HHS determined that the failure constituted a violation of HIPAA Privacy and Security rules and in 2017, it then assessed the multimillion-dollar penalty.
The hospital appealed the fine to an administrative law judge and from there to the HHS Departmental Appeals Board. When those efforts failed to deliver the desired results, the University of Texas M.D. Anderson Cancer Center petitioned the Fifth Circuit for review.
The Fifth Circuit panel unanimously decided that the fine was “was arbitrary, capricious and otherwise unlawful.”
The court cited four reasons for its decision:
- The hospital addressed HIPPA’s encryption requirements, though the implemented mechanism on the devices “could’ve or should’ve been a better one.”
- The Fifth Circuit found that the government couldn’t demonstrate that the hospital acted to disclose ePHI or that someone outside of the hospital actually received the information.
- The government didn’t impose similar fines in similar situations elsewhere.
- The court found that because HHS misinterpreted the applicable regulations, the imposed penalty was significantly higher than what HIPAA allows.
The court vacated the penalties and remanded the case. The National Law Review stated that it isn’t clear if HHS will now impose reduced fines or drop the case entirely.
The publication notes that the successful appeal might serve as a template for others facing HIPAA enforcement actions.