On January 14, 2021, the United States Court of Appeals for the Fifth Circuit vacated a $4.3 million civil monetary penalty that the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) imposed against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”). OCR ordered the penalty in 2017 following an investigation into three data breaches suffered by M.D. Anderson in 2012 and 2013, finding that M.D. Anderson had violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information and Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). The Court, however, held that the penalty was “arbitrary, capricious, and otherwise unlawful,” in part based on its interpretation of the HIPAA Rules.
The Court held that the HIPAA Security Rule does not mandate “bulletproof protection” of electronic protected health information (“ePHI”). Instead, the Court found that M.D. Anderson had adopted sufficient “mechanisms” to encrypt ePHI. It also held that the “passive loss of information” did not contravene certain of HIPAA’s restrictions on the disclosure of ePHI. Finally, the Court concluded that HHS’s penalty exceeded the statutory maximum and was inconsistent with other penalties imposed in similar situations. The Fifth Circuit’s decision may provide support for covered entities that seek to challenge penalties associated with HIPAA violations in the future and may invite HHS to consider revisions to its HIPAA enforcement regulations.
The civil monetary penalties imposed against M.D. Anderson stem from three data breaches experienced in 2012 and 2013. The court record contained the following facts: An M.D. Anderson faculty member’s laptop was stolen in 2012. The laptop contained ePHI relating to almost 30,000 individuals and was not encrypted or password-protected. Then, in 2012 and 2013, two M.D. Anderson employees lost unencrypted USB thumb drives, both of which held ePHI for more than 5,000 individuals. In total, these breaches resulted in the unauthorized disclosure of ePHI for about 35,000 people.
After its investigation, OCR concluded that M.D. Anderson violated two provisions of the HIPAA Rules: (1) The failure to “[i]mplement a mechanism to encrypt” ePHI or adopt some other “reasonable and appropriate” method to limit access to patient data (which the court referred to as the “Encryption Rule”); and (2) the unpermitted disclosure of protected health information (which the court referred to as the “Disclosure Rule”). HHS also determined that M.D. Anderson had “reasonable cause” to know it violated these rules. As a result of this investigation, OCR imposed a $4.3 million dollar fine against M.D. Anderson. M.D. Anderson appealed the penalty to an administrative law judge (“ALJ”), who upheld the penalty in June 2018. HHS’s Departmental Appeals Board (“DAB”) subsequently affirmed the ALJ’s decision, and M.D. Anderson sought judicial review from the United States Court of Appeals for the Fifth Circuit, which reviewed the case de novo. The Fifth Circuit vacated the ALJ’s ruling and held that OCR’s enforcement actions were “arbitrary, capricious, and unlawful” for the following four reasons.
The Encryption Rule
The Encryption Rule, as part of the HIPAA Security Rule, requires a HIPAA-covered entity to “[i]mplement a mechanism to encrypt and decrypt electronic protected health information” or adopt some other “reasonable and appropriate” method to limit access to patient data.” See 45 C.F.R. § 164.312(a)(2)(iv). Upon reviewing the evidence, the Court found that M.D. Anderson had in fact implemented “a mechanism.” Specifically, M.D. Anderson required employees to sign an “Acceptable Use Agreement” acknowledging their obligation to encrypt protected health information and provided them with an “IronKey” to encrypt and decrypt mobile devices. M.D. Anderson also had a mechanism to encrypt emails and implemented mechanisms for file-level encryption. Although HHS argued that M.D. Anderson should have done more, pointing to internal documents that indicated M.D. Anderson wanted to strengthen its ePHI security, the Court rejected this “irrational” argument, noting that M.D. Anderson’s desire to do more in the future did not mean that it had failed to meet the Security Rule’s requirement to encrypt patient data in the past. Furthermore, the Court determined that the fact that the lost and stolen items were unencrypted was not evidence that M.D. Anderson lacked “a mechanism” for encryption. Instead, it simply meant that either these employees failed to abide by the mechanism or that M.D. Anderson failed to properly enforce the mechanism.
In vacating the penalties, the Court noted that the “regulation requires only ‘a mechanism’ for encryption.” The Encryption Rule does not require that the mechanism provide “bulletproof protection” for all systems that contain ePHI; nor does it specify what form the mechanism should take. Entities may satisfy the Encryption Rule’s requirements by placing obligations on their employees through an “Acceptable Use Agreement” or providing tools to encrypt ePHI. The Court found that M.D. Anderson satisfied the requirement to have a mechanism and emphasized that if HHS “wants to police just how herculean a covered entity must be in encrypting ePHI, the Government can propose a rule to that effect and attempt to square it with the statutes Congress enacted.”
The Disclosure Rule
The Disclosure Rule, as part of the HIPAA Privacy Rule, prohibits covered entities from disclosing protected health information (“PHI”), including ePHI, unless it is disclosed in accordance with HIPAA. See 45 C.F.R. § 164.502(a). HIPAA defines “disclosure” as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” Id. § 160.103. The ALJ had determined that M.D. Anderson “released” PHI, or in this instance ePHI, by losing control of it, thereby violating the Disclosure Rule. Under the ALJ’s interpretation, a covered entity violates the Disclosure Rule whenever it loses control of ePHI, regardless of whether anyone outside of the covered entity accesses it. However, the Fifth Circuit held that this interpretation of “disclosure” departed from the regulation in at least three ways.
- First, the Court interpreted the regulation as requiring “an affirmative act of disclosure, not a passive loss of information.” The Court notes, however, that the regulation does not require a covered entity to act knowingly in order to violate the Disclosure Rule. A covered entity may affirmatively disclosure information unknowingly, for example, by emailing ePHI to the wrong recipient.
- Second, a “disclosure” requires that information is “made known” to a third party. Therefore, it is impossible to disclose information unless someone actually receives it.
- Third, the Disclosure Rule requires that the ePHI must be disclosed to someone “outside” of the covered entity, or else sharing a laptop between employees, or any other manner of sharing ePHI within the entity, could create liability.
In the present case, the Court found that the facts did not support a violation of the Disclosure Rule. The M.D. Anderson employees did not affirmatively disclose ePHI. Rather, employees merely lost the ePHI or had it stolen from them. In addition, HHS could not prove that any third party “outside of” the company had received the ePHI. Thus, there was no evidence to support that M.D. Anderson violated the Disclosure Rule. The Court rejected HHS’s argument that its interpretation of “disclosure” would make it harder for the agency to enforce the regulation, noting that it was “the sort of policy argument that HHS could vet in a rule making proceeding.”
Failure to Impose Similar Penalties on Other Covered Entities
Highlighting the “bedrock principle of administrative law that an agency ‘treat like cases alike,’” the Fifth Circuit held that the ALJ had acted arbitrarily and capriciously by imposing high penalties against M.D. Anderson but not against other covered entities in similar circumstances. M.D. Anderson provided examples of other covered entities that similarly violated HHS’s interpretation of the Encryption Rule and faced no financial penalty, such as one case where the covered entity’s employee lost an unencrypted laptop containing ePHI of over 33,000 patients during a burglary, yet HHS chose to impose no penalty without any explanation. The Court emphasized that “an administrative agency cannot hide behind the fact-intensive nature of penalty adjudications to ignore irrational distinctions between like cases.”
Amount of Penalties Contradicted the Enforcement Rule
The Court acknowledged that penalties associated with violations of the Encryption Rule and the Disclosure Rule may vary depending on the level of culpability. The ALJ determined that M.D. Anderson’s violations were due to “reasonable cause” and not “willful neglect,” for which the HIPAA statute establishes the statutory cap on civil monetary penalties at no more than $100,000 per calendar year. See 42 U.S.C. §§ 1320d-5(a)(1)(B), (a)(3)(B). Nevertheless, the ALJ determined the per-year statutory cap was $1,500,000, and assessed M.D. Anderson’s penalties for violating the Encryption Rule at $1,348,000 for 2011–2013 and for violating the Disclosure Rule at $3,000,000 for 2012–2013. The Court found the ALJ’s decision was “arbitrary, capricious, and contrary to law,” noting that even HHS had conceded it had misinterpreted the statutory caps by issuing a Notice of Enforcement Discretion Regarding HIPAA Civil Money Penalties only two months after the Departmental Appeals Board upheld the ALJ’s decision. In addition, the Court found that the ALJ had erroneously ignored HHS’s own regulations outlining factors for the agency to consider in assessing penalties.