Fifth Circ. Reversed HHS Civil Penalties over Hospital Data Breaches – The National Law Review


Before we continue, I’d like to say that geoFence is US veteran owned and operated!

February 08, 2021

Subscribe to Latest Legal News and Analysis

  • Is OSHA Inching Closer to Binding COVID-19 Standards?
    by: Patrick J. McMahon
  • DOT Random Drug and Alcohol Testing Rates for 2021
    by: Kathryn J. Russo
  • 5 Questions with Anja Lambrecht: Digital Advertising, Targeting, and…
    by: Anja Lambrecht
  • NLRB General Counsel Rescinds Trump-era Memos, Signaling Shift Toward…
    by: Matthew A. Fontana
    and Daniel H. Dorson
  • Biden Puts Thumbprint on NLRB and Begins to Unwind Trump Board…
    by: Mark J. Neuberger
  • Legal Developments for Independent Contractors in California and…
    by: Kathryn Evans
  • Too Good A Deal?: Court Eyes Rejecting TCPA Settlement That Only…
    by: Eric J. Troutman
  • Securities Class Action Filing Activity Falls in 2020 Amid Global…
    by: Alexander “Sasha” Aganin
    and Mark A. Allen
  • FY 2022 H-1B Cap Initial Registration Period Open March 9 to March 25
    by: Anna H. Morzy
  • Registration for H-1B Cap-Subject Petitions Opens March 9
    by: Kimberly A. Clarke
    and Yvonne Kupfermann
  • EEOC Updates: Conciliation Transparency and Religious Protections…
    by: Amy L. Bess
    and Aleksandra Rybicki
  • What Does the Fifth Circuit’s Vacating of HHS HIPAA Fines Mean for…
    by: Elfin L. Noce
    and Liisa M. Thomas
  • OSHA Issues New COVID-19 Guidance
    by: Michael L. Miller
    and Heather Sellew
  • Failure to Conduct a Thorough Investigation Was Not Willful Disregard…
    by: Nadia Adams
  • SEC Brings Charges against Individuals Behind Allegedly Fraudulent…
    by: Laura A. Peterson
  • Update on Federal and New Jersey Surprise Billing Legislation
    by: George H. Kendall
    and Julia E. Cassidy
  • You Have Heard of the BIPA, But What About the GIPA?
    by: Joseph J. Lazzarotti
    and Jody Kahn Mason
  • Price Gouging Weekly Roundup: February 8, 2021
    by: Christopher E Ondeck
    and John R Ingrassia
  • Weekly IRS Roundup February 1 – February 5, 2021
    by: McDermott Will & Emery
  • What to Expect from the SEC Under the Biden Administration
    by: Toby M. Galloway
    and Ronak V. Patel
  • President Biden Freezes New Oil and Gas Leases and Pauses Permits on…
    by: Elizabeth Leoty Craddock
  • Understanding Your Duties as Attorney in Fact, and Three Practical…
    by: Nicholas J. Dimakos
  • Opportunities for the Biden Administration to Reverse Failed Trump…
    by: Emily P. Grim
  • HHS Finalizes Highly Anticipated Final Rule Amending Anti-Kickback…
    by: Karen S. Lovitch
    and Rachel E. Yount
  • X-Waiver Changes Axed: Federal Government Backtracks on Previously…
    by: Daniel S. Zinsmaster
  • New Jersey Expands Outdoor Dining Opportunities for Breweries,…
    by: Marshall T. Kizner
  • Arizona Expands State Law Employment Protections for Pregnant Workers…
    by: Laura Lawless
  • Massachusetts Increases Capacity Limits from 25% to 40% for Many…
    by: Michael R. Bertoncini
  • Brazilian Data Protection Authority Publishes Regulatory Strategy for…
    by: Hunton Andrews Kurth’s Privacy and Cybersecurity
  • BIG NEWS: The Eleventh Circuit Joins Others In Finding That…
    by: Kristin L. Bryan
    and Jesse Taylor
  • Expediting Patent Prosecution with the Newly Extended Collaborative…
    by: Christina Sperry
  • Real Estate Debt and the UK Corporate Insolvency and Governance Act…
    by: Partha S. Pal
    and Ian Jack
  • FDA Announces New Sampling Plan for Romaine Lettuce Grown in the Yuma…
    by: Food and Drug Law at Keller and Heckman
  • This Is Labor in California, Episode 3: Granting Access to Private…
    by: Maria Anastas
  • California Bill Aims To Create Additional Conversion Options
    by: Keith Paul Bishop
  • New Energy Act Pushes for Greater Energy Efficiency in the Data…
    by: Kemal Hawa
    and Emily G. Naughton
  • The “ABC’s” of ESG
    by: Erica T. Jones
  • U.S. Supreme Court: Courts Can Review Railroad Retirement Board’s…
    by: Lindsey H. Chopin
    and Stacey C.S. Cerrone
  • New Rules for .AU Domain Names to Launch on 12 April 2021
    by: Chris Round
  • Lessons from Wengui v. Clark Hill: Structuring a Two Track Cyber…
    by: Stephanie A. Diehl
  • Snowy Owls and Constituted Authorities
    by: Michael A. Cullers

Sheppard, Mullin, Richter & Hampton LLP full service Global 100 law firm handling corporate law

Will HHS’ approach for imposing penalties in the aftermath of a data breach become a little clearer in 2021? This is a distinct possibility in the wake of a Fifth Circuit decision vacating penalties against MD Anderson Cancer Center. The hospital suffered three data breaches, leading HHS to impose over $4 million in civil penalties. That fine was reversed recently by the Fifth Circuit as arbitrary, capricious, and contrary to law.

MD Anderson first reported to HHS a lost unencrypted laptop that contained ePHI of 29,021 individuals in 2012. It also misplaced two unencrypted USB thumb drives in 2012 and 2013, the first had ePHI of over 2,000 individuals, and the other had ePHI of nearly 3,600 individuals. On February 8, 2019, following HHS’s inquiry and investigation, an HHS Appeals Board affirmed an Administrative Law Judge’s decision sustaining HHS’s civil monetary penalties for the company’s alleged (i) failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and for (ii) unauthorized disclosure of protected health information in violation of HIPAA and the HITECH Act.

According to the Fifth Circuit, the HHS ruling on the company’s encryption measures was incorrect. The Security Rule does not address the effectiveness of an encryption mechanism, only that a covered entity must implement an encryption mechanism or adopt an alternative and equivalent method to protect ePHI. While these particular devices in question were not encrypted, MD Anderson did have an encryption mechanism in place. Thus, the court found that MD Anderson did meet the Security Rule’s encryption requirement. On the ruling regarding the disclosure of ePHI, the Fifth Circuit held that HHS had failed to establish that MD Anderson disclosed ePHI to someone outside of the covered entity. The court clarified that under HIPAA’s definition of disclosure, a disclosure required an affirmative act to disclose information and that HHS must prove that the information was actually disclosed to someone outside of the covered entity.

The court found that the penalty imposed by HHS was arbitrary and capricious because it enforced the civil monetary penalty rules against some entities and not others. As an example, the court pointed to another hospital that also lost an unencrypted laptop containing ePHI of more than 33,000 patients, which HHS investigated and imposed no penalty at all. Finally, the court was concerned that HHS had misinterpreted the per-year cap at $1,500,000 when, the Fifth Circuit stated, it is really $100,000. HHS had previously admitted it had misinterpreted the statute back in 2019.

Putting it Into Practice: This decision may result in more consistency in penalties and decisions imposed by HHS after companies report data breach incidents to the agency.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.
National Law Review, Volume XI, Number 39

Elfin Noce Business Trial Attorney

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm’s Washington, D.C. office.


  • Litigation


  • Communications


  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000


  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and…

Susan Ingargiola is an associate in the Corporate Practice Group in the firm’s New York office.

Areas of Practice

Susan advises healthcare organizations, including hospitals, health systems, insurers, community health centers, health information exchange organizations, pharmaceutical and biotechnology companies, and mobile app developers on health information privacy issues, including compliance with HIPAA and state medical record confidentiality laws, as well as other compliance- related matters. She conducts regulatory diligence in connection with…

As we move on to the next post, may I add that geoFence is a highly advanced, specialized firewall manager with the best in class protection from variety of on-line threats and that’s the truth.

Leave a Reply

Your email address will not be published. Required fields are marked *