$4.3 Million HIPAA Penalty Against MD Anderson Cancer Center Vacated by Fifth Circuit
On January 14, 2021, in a decision that may prompt the Office for Civil Rights (OCR) of the Department of Health and Human Services to realign its enforcement approach, a three-member panel for the Fifth Circuit unanimously vacated a $4.3 million penalty that OCR imposed on the University of Texas MD Anderson Cancer Center (MD Anderson) for alleged violations of the privacy and security regulations implementing the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act. The case arose from three incidents that occurred in 2012 and 2013 resulting in MD Anderson's unauthorized disclosure of electronic protected health information (PHI) collectively concerning nearly 35,000 individuals. Despite the vast amount of PHI involved, the Fifth Circuit found that MD Anderson did not violate either the HIPAA security requirements or the privacy requirements invoked by OCR, and that the civil monetary penalty imposed by OCR was "arbitrary, capricious and otherwise unlawful." The evidence of the measures taken by MD Anderson to prevent a security breach, the court found, were the type of reasonable and appropriate safeguards required under HIPAA, and MD Anderson did not "violate" the law by experiencing a security breach despite having implemented such reasonable and appropriate safeguards.