The U.S. Court of Appeals on Jan. 14 vacated University of Texas MD Anderson Cancer Center's $4.3 million HIPAA fine for losing more than 35,000 patients' protected health information.
The court ruled that HHS had acted arbitrarily and inconsistently in finding that the Houston-based cancer center had violated two information security regulations stemming from three data breach incidents in 2012-13, according to the U.S. Court of Appeals for the Fifth Circuit opinion filed Jan. 14.
In June 2018, HHS fined MD Anderson $4.3 million after completing its investigation of the theft of an unencrypted laptop from the cancer center and loss of two unencrypted flash drives. HHS found that while MD Anderson had encryption policies since 2006, it did not adopt systemwide encryption of electronic PHI until 2011. HHS' Office for Civil Rights said the cancer center also failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and Jan. 25, 2013.
MD Anderson appealed the HHS fine in April 2019, arguing that since HHS is a federal agency it did not have the authority to impose civil monetary penalties against the cancer center since MD Anderson is a state agency. The hospital also argued that HHS's penalty was excessive.
After MD Anderson filed its petition with the Court of Appeals, HHS conceded it could not defend a fine for the breaches of more than $450,000. The court vacated the civil monetary penalties and remanded the case for further proceedings consistent with the opinion.