The United States Department of Health and Human Safety (HHS) recently accused University of Texas MD Anderson Cancer Center of losing thousands of protected patient information. The feds stated the cancer center made these mistakes:
- Laptop with sensitive information left unattended
- Failed to use proper encryption
- Failed to put sufficient safeguards on flash drives
These errors, according to the HHS, led to the failure to protect 35,000 patient documents. As such, the feds issued a $4.3 million fine, stating the error rose to a violation of the Health Insurance Portability and Accountability Act (HIPAA). Administrators with MD Anderson’s Cancer Center countered that the fine was unreasonable. They took the case to court and, when they lower court did not find in their favor, took the fight higher up the ladder to the U.S. Court of Appeals. Ultimately, the U.S. Court of Appeals agreed with the hospital and found the agency’s millions in fines arbitrary and inconsistent.
What happens next?
Although the appeals court vacated the ruling, the issue is not yet resolved. The court sent the case back to the lower courts with the guidance provided by the appellate court. This could mean continued litigation or renewed negotiations. Either way, the hospital system will likely walk away with a win in that it should not have nearly as large of a civil penalty in light of this holding.
The case provides an example of how circuitous these cases can seem. Those who face similar allegations may need to prepare for trial, appeal and get bounced back. Although the process can be time consuming, a successful case can reduce or even eliminate penalties.