University of Texas M.D. Anderson Cancer Center v. United States Department of Health and Human Services, No. 19-60226 (5th Cir. 2021)Annotate this Case
After employees of M.D. Anderson lost patients' data, HHS fined M.D. Anderson $4,348,000. M.D. Anderson petitioned for review, and HHS conceded that it could not defend a fine in excess of $450,000. HHS then sought a reduction of the penalty by a factor of 10.
The Fifth Circuit granted M.D. Anderson's petition for review and held that the civil monetary penalty (CMP) violates the Administrative Procedure Act because it is arbitrary, capricious, and contrary to law. In this case, HHS steadfastly refused to interpret the statutes at issue; the ALJ likewise refused to consider whether the multi-million-dollar CMP was arbitrary or capricious; and HHS's Departmental Appeals Board agreed with the ALJ. Reviewing de novo, the court concluded that the CMP order was arbitrary, capricious, and otherwise unlawful for at least four independent reasons: 1) based on the Encryption Rule; 2) based on the Disclosure Rule; 3) the ALJ erroneously insisted that the Government can arbitrarily and capriciously enforce the CMP rules against some covered entities and not others; and 4) based on the penalty amounts. Because the Government has offered no lawful basis for its civil monetary penalties against M.D. Anderson, the court vacated the CMP order and remanded for further proceedings.