The United States Court of Appeals for the Fifth Circuit (the “Court”) vacated a $4,348,000 civil monetary penalty (“CMP”) imposed by the U.S. Department of Health and Human Services’ Office for Civil Rights (“HHS-OCR”) in 2017 against the University of Texas M.D. Anderson Cancer Center (“MD Anderson”) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule and HIPAA Security Rule. The Court held that OCR’s actions were “arbitrary, capricious, and otherwise unlawful” and remanded the case for further proceedings. While the case is not binding precedent outside the Fifth Circuit, MD Anderson is the first HIPAA Covered Entity to appeal its fine to a Circuit Court since the HIPAA Privacy Rule and the HIPAA Security Rule took effect. The ruling likely will motivate future HIPAA settlement negotiations with HHS-OCR and encourage HIPAA Covered Entities to appeal enforcement outcomes they consider unreasonable.
The case arose because of three incidents that occurred in 2012 and 2013 at MD Anderson that involved the theft of an unencrypted laptop and the loss of two unencrypted USB thumb drives, which collectively contained the electronic protected health information (“e-PHI”) of approximately 35,000 individuals. MD Anderson disclosed these incidents to HHS-OCR and was thereafter assessed the CMP of over $4 million. MD Anderson made two unsuccessful administrative appeals of the CMP before petitioning the Fifth Circuit for judicial review.
The Fifth Circuit held that the MD Anderson CMP violated the Administrative Procedure Act (“APA”), which directs courts to “hold unlawful and set aside” agency actions that are “arbitrary capricious, an abuse of discretion, or otherwise not in accordance with law.” The principal reasons for the Court’s decision were as follows:
- The HIPAA Security Rule does not require “bullet-proof protection of all systems containing e-PHI,” rather, it merely requires a mechanism to encrypt and decrypt e-PHI. (See 45 C.F.R. §164.312(a)(2)(iv)). MD Anderson furnished its employees with an “IronKey” to encrypt and decrypt mobile devices and trained its employees on how to use this mechanism. It also implemented a mechanism to encrypt emails and various other mechanisms for file-level encryption. Thus, even though the stolen laptop and lost USB drives were not encrypted, the Court opined that the facts revealed only that three employees did not abide by the encryption mechanism that MD Anderson required and that MD Anderson did not enforce its own policies rigorously enough. MD Anderson undisputedly had a mechanism, even if it could have or should have had a better one. Thus, MD Anderson satisfied this regulatory requirement, even if HHS-OCR thought that MD Anderson should have had different – or more effective – encryption and encryption mechanisms.
- The HIPAA Privacy Rule prohibits a Covered Entity from disclosing e-PHI, but MD Anderson did not intentionally disclose the e-PHI of all those individuals. The HIPAA Privacy rule defines “disclosure,” as “the release, transfer, provision of access to, or divulging in any manner of information outside of the entity holding the information.” According to the Court, the administrative law judges seized on the word “release,” and concluded that a Covered Entity violates this rule whenever it loses control of e-PHI, regardless of whether anyone outside of the Covered Entity accesses it, which is a departure from the regulations. The Court decided that MD Anderson did not affirmatively act to disclose e-PHI and HHS-OCR did not prove that someone outside of MD Anderson actually received the disclosed e-PHI.
- HHS-OCR did not impose CMPs against other Covered Entities with similar breaches and “offered no reasoned justification for imposing zero penalty on one covered entity and a multi-million dollar penalty on another.” The Court emphasized a bedrock principle of administrative law that an agency must “treat like cases alike,” and have good reasons for taking a new position. MD Anderson gave examples of other Covered Entities that violated the same rules and HHS imposed no penalty at all. For example, a Cedars-Sinai employee lost an unencrypted laptop that contained the e-PHI of more than 33,000 patients in a burglary, but HHS-OCR opted against issuing a CMP against Cedars-Sinai.
- The CMP amounts were inconsistent with the HIPAA Enforcement Rule, which limits all CMP within a calendar year that were attributable to a Covered Entity’s reasonable cause to $100,000. HHS-OCR determined that MD Anderson owed $1,348,000 over three calendar years for violating the HIPAA Security Rule and $3,000,000 for two years for violating the HIPAA Privacy Rule.
It remains to be seen whether or how HHS-OCR will adjust its HIPAA enforcement approach or regulations. But, given the Fifth Circuit’s decision in the MD Anderson case, HHS-OCR likely will look for greater consistency across its enforcement decisions that result in CMPs. HHS-OCR may also seek to amend the relevant regulations to allow for greater leeway in enforcing violations. Perhaps more importantly, however, the MD Anderson decision is likely to provide significant leverage to companies who are seeking to negotiate with HHS-OCR or to appeal CMPs that have already been assessed.