Skip to content

Fifth Circuit, Criticizing OCR’s HIPAA Enforcement Process, Vacates $4.3 Million Civil Penalty



Univ. of Tex. M.D. Anderson Cancer Ctr. v. HHS, 2021 WL 127819 (5th Cir. 2021)

Available at

A federal appeals court has overturned a $4.3 million civil monetary penalty against a cancer treatment and research center (a HIPAA covered entity), ruling that the penalty assessment was “arbitrary, capricious, and otherwise unlawful.” As background, HHS’s Office for Civil Rights (OCR) investigated the covered entity after protected health information (PHI) of more than 30,000 individuals was breached following the theft of an unencrypted laptop computer and the loss of two unencrypted USB drives. After concluding that the covered entity failed to implement organization-wide encryption despite internally acknowledging its necessity, OCR proposed penalties related to the failure and for unauthorized disclosures of PHI. An administrative law judge (ALJ) denied the covered entity’s administrative challenge to the proposed penalty (see our Checkpoint article), rejecting arguments that (1) full encryption was not required because alternative mechanisms were in place, including annual security training, password protection, device encryption, and backup in case of disaster or loss of information; and (2) losing PHI did not constitute an unauthorized disclosure because OCR could not prove that any unauthorized party had accessed the PHI. The ALJ upheld penalties of $1.3 million for the encryption failure and $3 million for the unauthorized disclosures. The covered entity then sought the court’s review.

First addressing encryption, the court determined that the covered entity complied with the security rule by implementing “a mechanism” to encrypt PHI: requiring employees to encrypt confidential or protected data on portable computing devices, furnishing them an encryption tool, encrypting emails, and adopting file-level encryption in specified software. The court discounted that the three devices at issue were not encrypted, noting that the security rule does not require covered entities to warrant that all PHI is completely inaccessible to unauthorized users. And the covered entity’s desire to do more in the future did not mean that it failed to encrypt patient data. Next, the court rejected the ALJ’s conclusion that unauthorized disclosures occur whenever a covered entity loses control of PHI, concluding that OCR must show that PHI was disclosed to someone outside the covered entity to prove a violation. Turning to the penalties, the court faulted the ALJ for not comparing OCR’s proposed penalty to its enforcement of other similar violations (at least one of which resulted in no penalty). Lastly, the court ruled that OCR’s application of a $1.5 million annual cap for identical violations in a calendar year was arbitrary and capricious, citing OCR’s own policy change which would have limited penalties in this case to $100,000 per calendar year (see our Checkpoint article). Moreover, misapplication of the cap led the ALJ to disregard mitigating factors that should have reduced the penalty. The court returned the case to HHS for further administrative proceedings.

EBIA Comment: Although this case is still working its way through proceedings, this strongly worded opinion calls into question some fundamental principles of OCR’s enforcement approach. For example, OCR has consistently asserted that an unauthorized disclosure occurs whenever PHI is publicly accessible through an internet search—regardless of whether it can demonstrate that anyone actually accessed the PHI in that way. It will be harder for OCR to establish privacy rule violations if it has to prove that an unauthorized recipient actually accessed PHI. Although this is just one opinion, its blunt criticism of OCR’s enforcement process may have significant ramifications, possibly emboldening covered entities and business associates to dispute proposed penalties more forcefully. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.E (“Civil Monetary Penalties”), XXX.D.1 (“Standard: Access Control”), and XXX.D.5 (“Standard: Transmission Security”).

Contributing Editors: EBIA Staff.

More answers