01/21/2021 | News release | Distributed by Public on 01/21/2021 15:54
On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit issued an opinion in University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services(M.D. Anderson Cancer Center) striking down an over US$4.3 million civil monetary penalty (CMP) imposed by the U.S. Department of Health and Human Services (HHS) for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the implementing regulations thereunder (collectively, the HIPAA Rules). The Fifth Circuit's interpretation of certain requirements under the HIPAA Rules, as well as its scrutiny of HHS's selective imposition of penalties, may benefit covered entities and business associates looking to challenge HHS enforcement activities, or potentially to avoid a conclusion of a breach in the first instance.
M.D. Anderson Cancer Center arose from three separate incidents in 2012 and 2013 in which workforce members of the University of Texas M.D. Anderson Cancer Center (M.D. Anderson), a HIPAA-covered entity, lost unencrypted electronic protected health information (ePHI). In one incident, an M.D. Anderson faculty member's laptop was stolen; the laptop, which contained ePHI for over 29,000 individuals, was not encrypted or password-protected. The two other incidents involved a lost or misplaced USB thumb drive containing ePHI for a few thousand individuals; in both instances, the USB thumb drive was not encrypted.
Consistent with its breach notification obligations under the HIPAA Rules, M.D. Anderson disclosed these three incidents to HHS. The agency concluded that, due to these incidents, M.D. Anderson had violated two standards under the HIPAA Rules: (i) the 'addressable' requirement at 45 C.F.R. § 164.312(a)(2)(iv) to '[i]mplement a mechanism to encrypt and decrypt' ePHI (Encryption Rule), which M.D. Anderson had determined to be 'reasonable and appropriate' for its organization; and (ii) the general prohibition at 45 C.F.R. § 164.502(a) that a covered entity may not use or disclose protected health information (PHI, which includes ePHI), except as permitted or required under the HIPAA Rules (Disclosure Rule). Concluding that M.D. Anderson had 'reasonable cause' to know that it had violated the Encryption Rule and the Disclosure Rule, HHS imposed an aggregate CMP totaling over US$4.3 million. This CMP amount consisted of daily penalties (totaling US$1,348,000) for the Encryption Rule violations, US$1,500,000 for the 2012 Disclosure Rule violations, and US$1,500,000 for the 2013 Disclosure Rule violations. At the time, these CMP amounts were consistent with HHS regulations issued in 2013 (the Enforcement Rule), which authorized aggregate annual penalties of up to US$1.5 million for identical violations due to 'reasonable cause.'
Following two levels of unsuccessful administrative appeals-first before an administrative law judge (ALJ) and then before the HHS Departmental Appeals Board (DAB)-M.D. Anderson petitioned the Fifth Circuit for review of the penalty imposed by HHS. Notably, two months after the DAB's decision in this case, HHS issued a 'Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties' (Enforcement Discretion Memo), in which HHS stated that (i) the Enforcement Rule was promulgated based on an interpretation of the HITECH Act that HHS no longer considered to be the 'most logical reading' of the statute; and (ii) based on a 'better reading' of the statute, HHS had determined, among other things, that the annual limit for identical violations due to 'reasonable cause' should be US$100,000. HHS indicated that, as a matter of enforcement discretion, all enforcement actions for violations of the HIPAA Rules would be subject to the (smaller) CMP caps set forth in the Enforcement Discretion Memo. Consistent with this Enforcement Discretion Memo, HHS conceded as part of the Fifth Circuit litigation that it could not defend the US$4.3 million aggregate penalty imposed on M.D. Anderson, and requested that the Fifth Circuit reduce the total penalty amount to US$450,000.
On appeal, the Fifth Circuit held that the penalty imposed by HHS against M.D. Anderson violated the Administrative Procedure Act (APA). As a result, the Fifth Circuit vacated the penalty and remanded the matter for further proceedings consistent with its opinion.
The Fifth Circuit began by noting that, under the APA, a court must set aside agency actions that are 'arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.' Reviewing M.D. Anderson's statutory and regulatory arguments de novo, the Fifth Circuit concluded that HHS's CMP order was 'arbitrary, capricious, and otherwise unlawful' for at least four independent reasons.
The Fifth Circuit concluded that M.D. Anderson had not actually violated the Encryption Rule. The court emphasized that the Encryption Rule, by its plain terms, requires that a covered entity '[i]mplement a mechanism to encrypt and decrypt' ePHI. Noting that M.D. Anderson contractually required its employees to encrypt ePHI stored on portable computing devices and had implemented technical safeguards (e.g., use of an IronKey for mobile devices, encryption software) to ensure encryption of ePHI, the court found that M.D. Anderson had 'plainly implemented 'a mechanism' to encrypt ePHI.' While the Fifth Circuit acknowledged that the three incidents described above demonstrated that the three workforce members 'failed to abide by the encryption mechanism, or that M.D. Anderson did not enforce that mechanism rigorously enough,' the court emphasized that the plain language of the Encryption Rule only requires that a covered entity have a 'mechanism' for encryption in place; a covered entity's failure to encrypt three devices did not mean that it 'never implemented 'a mechanism' to encrypt anything at all.'
The Fifth Circuit next found that HHS was unable to show a violation of the Disclosure Rule. Notably, the court rejected an argument by HHS that 'a covered entity violates the Disclosure Rule whenever it loses control of ePHI-regardless of whether anyone outside of M.D. Anderson accesses it.' The court held that HHS could not prove that M.D. Anderson 'disclosed' ePHI 'without proving that someone 'outside' the entity received it,' a standard that the agency conceded could not be met in that case, and that would be difficult to meet generally.
The Fifth Circuit reached this conclusion based on its reading of the plain language of the regulatory definition of a 'disclosure.' Notably, the court declined to take into consideration HHS's various published interpretations of the term 'disclosure' as used in the regulation (applying the deference standard adopted by the Supreme Court in 2019 in Kisor v. Wilkie) because the Fifth Circuit concluded on its own that the regulation was not ambiguous on its face.
As noted above, the Disclosure Rule prohibits a covered entity from using or disclosing PHI, except as permitted or required under the HIPAA Rules. A 'disclosure' is defined under the HIPAA Rules as the 'release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.' The Fifth Circuit reasoned as follows:
The Fifth Circuit also found HHS's CMP order to be arbitrary and capricious due to HHS selectively enforcing its CMP rules against some covered entities but not others. The court emphasized that while 'M.D. Anderson proffered examples of other covered entities that violated the Government's understanding of the Encryption Rule and faced zero financial penalties'-including, e.g., an incident involving a theft of an unencrypted laptop containing ePHI for more than 33,000 patients-HHS had provided 'no reasoned justification for imposing zero penalty on one covered entity and a multi-million-dollar penalty on another.' According to the court, this violated the 'bedrock principle of administrative law that an agency must 'treat like cases alike.''
Finally, the Fifth Circuit found HHS's CMP order to be arbitrary and capricious because (as discussed above and as recognized by HHS in its Enforcement Discretion Memo) the penalty amounts were not consistent with the annual limits set forth in the HITECH Act.
It remains to be seen whether other circuit courts adopt reasoning similar to the Fifth Circuit's in M.D. AndersonCancer Center. That said, this case may serve as a boon for covered entities and business associates looking to challenge HHS enforcement activities, or to avoid a conclusion of a breach in the first instance.
The Fifth Circuit's interpretation of the Disclosure Rule-which places the burden on HHS to demonstrate that a 'release' of PHI constitutes an impermissible disclosure-appears at odds with the presumption at 45 C.F.R. § 164.402 that an acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Rules is 'presumed to be a breach' unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment. If the burden falls on HHS to demonstrate that an impermissible disclosure indeed occurred, that would seem to significantly undercut the purpose of the breach presumption. In addition, the court's reasoning would appear to give covered entities and business associates greater leeway to conclude that certain unauthorized releases of PHI do not give rise to an impermissible 'disclosure' (and hence a breach) in the first instance.
Similarly, the Fifth Circuit's interpretation of the Encryption Rule may make it more difficult for HHS to impose CMPs based on non-compliance with certain requirements of the HIPAA Security Rule. Notably, several of the Security Rule's 'addressable' requirements (e.g., pertaining to audit controls and ePHI authentication) require the implementation of a 'mechanism' (if reasonable and appropriate for the organization). The court's generous interpretation of the 'mechanism' requirement in the Encryption Rule may make it difficult for HHS to impose CMPs for failure to implement workable safeguards for any of these addressable requirements, provided some minimal 'mechanism' is in place. That said, it remains to be seen whether HHS and/or other courts take the position that implementing a 'mechanism' determined to be less than effective give rises to a violation of other HIPAA Security Rule standards-e.g., the requirement at 45 C.F.R. § 164.308(a)(1)(ii)(B) to '[i]mplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.'
Finally, the court's disapproval of HHS's selective imposition of CMPs may provide a strong basis for covered entities and business associates to challenge the imposition of penalties. Perhaps more than ever, covered entities and business associates would be well advised to track enforcement of the HIPAA Rules, not only to identify potential risk areas, but also to identify enforcement activities against comparable entities that may serve as examples for challenging potential future penalties.