Fifth Circuit overturns 4.3 million HIPAA fine against UT Austin Cancer Center

On January 14, 2021, the Fifth Circuit Court of Appeals vacated a $4.3 million civil penalty imposed by the U.S. Department of Health and Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center in relation to three separate data incidents involving the loss of unencrypted electronic protected health information (PHI).

What happened 

The case, titled University of Texas M.D. Anderson Cancer Center v. United States Department of Health and Human Services, No. 19-6022, challenged HHS’s penalty, arguing that the loss of unencrypted data did not constitute a breach under HIPAA regulations. The Fifth Circuit ruled that HHS had failed to prove that the mere loss of unencrypted PHI, without evidence of actual disclosure, violated HIPAA rules. Furthermore, the court held that the $4.3 million penalty was arbitrary, excessive, and beyond HHS’s legal authority, rendering it unlawful.

Main judgement points

• HHS imposed a $4,348,000 civil monetary penalty, citing violations of the HIPAA encryption rule and the unauthorized disclosure rule.
• The Fifth Circuit held that HIPAA requires only the implementation of “a mechanism to encrypt” ePHI, not perfect or universal encryption. M.D. Anderson had such a mechanism in place (e.g. IronKey devices, policies, training).
• The court rejected the notion that loss or theft of unencrypted devices automatically constitutes a “disclosure” under HIPAA; instead, disclosure requires an affirmative act that makes data known to someone outside the entity, and there was no evidence data was accessed.
• HHS was arbitrarily inconsistent; similar incidents by other covered entities apparently resulted in no penalties, yet it imposed a multi‑million‑dollar penalty on M.D. Anderson without justification.
• HHS misapplied statutory penalty caps; under HIPAA, reasonable cause violations are capped at $100,000 per calendar year, not $1.5 million. HHS had to concede its miscalculation.

What was said 

The court document noted, “We take the opportunity to reiterate what we’ve said before: neither ‘enforcement discretion' nor Heckler v. Chaney empowers an agency to disregard Congress’s statutes... And the fact that HHS later recognized its error in a notice of ‘enforcement discretion’ does nothing to change the text of the regulations HHS promulgated through notice and comment. Nor does it cure the erroneous premises of the decisions by the ALJ and the Departmental Appeals Board.”

Related:  HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Does every HIPAA breach result in a penalty?

No. HHS considers several factors, including the entity's compliance history, the nature of the violation, harm caused, and whether corrective actions were taken.

Can penalties be reduced or waived?

Yes. HHS can reduce or waive penalties if the covered entity can prove that the violation was due to reasonable cause, was corrected promptly, or if a settlement is negotiated through a resolution agreement.