Houston-based University of Texas MD Anderson Cancer Center filed an appeal April 9, claiming the $4.3 million HIPAA fine that HHS imposed on the hospital was unlawful, according to GovInfoSecurity.com.
HHS slapped MD Anderson with the fine after MD Anderson reported three data breaches that involved unencrypted devices. An investigation spurred after three data breach reports in 2012 and 2013. The reports involved the theft of an unencrypted lap top and the loss of two unencrypted flash drives.
The investigation found that while MD Anderson had encryption polices since 2006, it did not adopt systemwide encryption of electronic personal health information until 2011. The Office for Civil Rights said MD Anderson also failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011, and January 25, 2013.
In the appeal, MD Anderson argues that because HHS is a federal agency it does not have the authority to impose civil monetary penalties against the cancer center because MD Anderson is a state agency. The hospital is also arguing that HHS exceeded its civil penalty authority "beyond the statutory caps" and imposed an "excessive" penalty, according to the report.
MD Anderson is asking for a permanent injunction that would prohibit HHS from attempting to enforce or collect the $4.3 million penalty. The cancer center also is seeking to recover all its litigation costs.