Although the HIPAA violations case is far from Michigan, it has ramifications for hospitals around the nation. The U.S. Court of Appeals for the Fifth Circuit recently overturned a $4.38 million fine imposed by the Department of Health & Human Services (HHS) on the University of Texas M.D. Anderson Cancer Center.
The genesis of the case was in the hospital’s voluntary disclosure of three instances of lost or stolen portable devices that contained electronic protected health information (ePHI). An HHS investigation found that the devices had not been encrypted. Because the devices weren’t encrypted to protect the ePHI contained on them, HHS determined that the failure constituted a violation of HIPAA Privacy and Security rules and in 2017, it then assessed the multimillion-dollar penalty.
The hospital appealed the fine to an administrative law judge and from there to the HHS Departmental Appeals Board. When those efforts failed to deliver the desired results, the University of Texas M.D. Anderson Cancer Center petitioned the Fifth Circuit for review.
The Fifth Circuit panel unanimously decided that the fine was “was arbitrary, capricious and otherwise unlawful.”
The court cited four reasons for its decision:
The court vacated the penalties and remanded the case. The National Law Review stated that it isn’t clear if HHS will now impose reduced fines or drop the case entirely.
The publication notes that the successful appeal might serve as a template for others facing HIPAA enforcement actions.