Use this button to switch between dark and light mode.

Experience a New Era in Legal Research with Free Access to Lexis+

Univ. of Tex. M.D. Anderson Cancer Ctr. v. United States HHS

Univ. of Tex. M.D. Anderson Cancer Ctr. v. United States HHS

United States Court of Appeals for the Fifth Circuit

January 14, 2021, Filed

No. 19-60226

Opinion

 [*474]  Andrew S. Oldham, Circuit Judge:

Employees of the University of Texas M.D. Anderson Cancer Center ("M.D. Anderson" or "Petitioner") lost patients' data. In response, the United States Department of Health and Human Services ("HHS" or the "Government") fined M.D. Anderson $4,348,000. After M.D. Anderson filed its petition for review, HHS conceded that it could not defend a fine in excess [**2]  of $450,000. The Government's decision was arbitrary, capricious, and contrary to law. We grant the petition for review and vacate the penalty.

Three unfortunate events set the stage for this lawsuit. First, back in 2012, an M.D. Anderson faculty member's laptop was stolen. The laptop was not encrypted or password-protected but contained "electronic protected health information (ePHI) for 29,021 individuals." Second, also in 2012, an M.D. Anderson trainee lost an unencrypted USB thumb drive during her evening commute. That thumb drive contained ePHI for over 2,000 individuals. Finally, in 2013, a visiting researcher at M.D. Anderson misplaced another unencrypted USB thumb drive, this time containing ePHI for nearly 3,600 individuals.

M.D. Anderson disclosed these incidents to HHS. Then HHS determined that M.D. Anderson had violated two federal regulations. HHS promulgated both of those regulations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act"). The first regulation requires entities covered by HIPAA and the HITECH Act to "[i]mplement a mechanism to [**3]  encrypt" ePHI or adopt some other "reasonable and appropriate" method to limit access to patient data. 45 C.F.R. §§ 164.312(a)(2)(iv), 164.306(d) (the "Encryption Rule"). The second regulation prohibits the unpermitted  [*475]  disclosure of protected health information. Id. § 164.502(a) (the "Disclosure Rule").

HHS also determined that M.D. Anderson had "reasonable cause" to know that it had violated the rules. 42 U.S.C. § 1320d-5(a)(1)(B) (setting out the "reasonable cause" culpability standard). So, in a purported exercise of its power under 42 U.S.C. § 1320d-5 (HIPAA's enforcement provision), HHS assessed daily penalties of $1,348,000 for the Encryption Rule violations, $1,500,000 for the 2012 Disclosure Rule violations, and $1,500,000 for the 2013 Disclosure Rule violations. In total, HHS imposed a civil monetary penalty ("CMP" or "penalty") of $4,348,000.

Read The Full CaseNot a Lexis Advance subscriber? Try it out for free.

Full case includes Shepard's, Headnotes, Legal Analytics from Lex Machina, and more.

985 F.3d 472 *; 2021 U.S. App. LEXIS 1095 **; 2021 WL 127819

UNIVERSITY OF TEXAS M.D. ANDERSON CANCER CENTER, Petitioner, versus UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, Respondent.

Prior History:  [**1] On Petition for Review of a Final Agency Decision of the U.S. Department of Health and Human Services.

CORE TERMS

regulation, encrypt, ePHI, covered entity, capricious, violations, Disclosure Rule, drives, disclosure, employees, quotation, entity, implemented, laptop

Administrative Law, Judicial Review, Standards of Review, Arbitrary & Capricious Standard of Review, Securities Law, US Securities & Exchange Commission, Arbitrary & Capricious Review, Clearly Erroneous Standard of Review, Deference to Agency Statutory Interpretation, Rule Interpretation, Business & Corporate Compliance, Health Insurance Portability & Accountability Act, Pensions & Benefits Law, Health Insurance Portability & Accountability Act, Governments, Legislation, Interpretation, Agency Adjudication, Decisions, Stare Decisis, Federal Government, Claims By & Against, Courts, Authority to Adjudicate