Log in

Start free trial
Home 5 Articles 5 4.3 Million Is Too High a Penalty for HIPAA Violation, Says Federal Court

4.3 Million Is Too High a Penalty for HIPAA Violation, Says Federal Court

by | Feb 19, 2021 | Articles, Essential, HIPAA-lca, Lab Compliance Advisor, Labs in Court-lca

Case: A federal appeals court has shot down what had been the fourth largest OCR penalty for a HIPAA violation as having “no lawful basis.” That decision means that instead of $4.3 million, the University of Texas MD Anderson Cancer Center will have to pay $450,000 for failing to encrypt protected patient data. OCR doled out the fine in 2018 to settle alleged HIPAA violations associated with a trio of separate data breaches that occurred in 2012 and 2013, involving the loss and theft of an unencrypted laptop and two unencrypted flash drives containing data on approximately 33,800 patients. Significance: HIPAA requires covered entities to “implement a mechanism to encrypt and decrypt” ePHI. There was no dispute that Anderson fell short in meeting this requirement. The issue was how big a penalty it deserved. It wasn’t like Anderson was cavalier. There were policies and training in place. But the employees involved in the breaches apparently didn’t follow them. The mechanism existed, “even if it could or should have been better,” the Fifth Circuit reasoned. The court also found that OCR failed to abide by per-year penalty caps for HIPAA violations. [University of Texas M.D. Anderson Cancer Center v. U.S. Dept. […]

Case: A federal appeals court has shot down what had been the fourth largest OCR penalty for a HIPAA violation as having “no lawful basis.” That decision means that instead of $4.3 million, the University of Texas MD Anderson Cancer Center will have to pay $450,000 for failing to encrypt protected patient data. OCR doled out the fine in 2018 to settle alleged HIPAA violations associated with a trio of separate data breaches that occurred in 2012 and 2013, involving the loss and theft of an unencrypted laptop and two unencrypted flash drives containing data on approximately 33,800 patients. Significance: HIPAA requires covered entities to “implement a mechanism to encrypt and decrypt” ePHI. There was no dispute that Anderson fell short in meeting this requirement. The issue was how big a penalty it deserved. It wasn’t like Anderson was cavalier. There were policies and training in place. But the employees involved in the breaches apparently didn’t follow them. The mechanism existed, “even if it could or should have been better,” the Fifth Circuit reasoned. The court also found that OCR failed to abide by per-year penalty caps for HIPAA violations. [University of Texas M.D. Anderson Cancer Center v. U.S. Dept. of Health and Human Services, Case 19-60226, U.S. Fifth Circuit, January 14, 2021]

Subscribe to view Essential

Start a Free Trial for immediate access to this article

TRY FOR FREE