A covered entity’s victory over proposed penalties from the Department of Health and Human Services (HHS) was good news for those responsible for HIPAA compliance, showing that good faith efforts and a willingness to fight the allegations can pay off.
In January, the 5th U.S. Circuit Court of Appeals overturned the $4.3 million civil monetary penalty (CMP) imposed by HHS on The University of Texas M.D. Anderson Cancer Center.1 That decision is a “game changer,” says Erin Dunlap, JD, an attorney with Coppersmith Brockelman in Phoenix.
“While the decision is limited in its precedential authority, I think it will impact how HIPAA-covered entities and business associates view HIPAA’s encryption rule, evaluate a loss of protected health information [PHI], and engage with HHS in determining settlement amounts, particularly if the alleged violations relate to a loss of PHI,” Dunlap says.
HHS’ Office for Civil Rights (OCR) imposed a CMP on M.D. Anderson in June 2018 after a lengthy investigation into three data breaches reported by the hospital in 2013 and 2014.2 The breaches involved the loss or theft of an unencrypted laptop containing the PHI of 29,021 individuals and two unencrypted USB drives containing the PHI of 5,862 individuals.
OCR concluded M.D. Anderson failed to implement encryption or adopt an alternative and equivalent method to limit access to electronic PHI (ePHI) stored on electronic devices and to prohibit unauthorized disclosures of ePHI.
OCR also found that M.D. Anderson had “reasonable cause” to know it was in violation of the HIPAA rules, Dunlap says. OCR imposed penalties in the amount of $1.3 million for the of lack of encryption and $3 million ($1.5 million per year) for the impermissible disclosures of ePHI.
M.D. Anderson unsuccessfully sought two levels of administrative review, including with an administrative law judge (ALJ) who sustained the imposition of the CMP.3 M.D. Anderson then petitioned the 5th Circuit to review the ALJ’s ruling.
HHS Acted Arbitrarily
The important part of the decision is found in the 5th Circuit’s reasoning. The justices ruled HHS acted arbitrarily and its decision was capricious and contrary to law for four independent reasons.
First, the court found M.D. Anderson had implemented a mechanism to encrypt ePHI, as required by the HIPAA Security Rule,4 and OCR failed to show M.D. Anderson had not done enough to secure the ePHI of its patients. The court explained M.D. Anderson required employees to acknowledge in writing that portable devices storing ePHI must be encrypted, furnished employees with IronKey devices to encrypt portable devices, and trained employees how to use them. The center implemented a mechanism to encrypt emails and various other mechanisms for file-level encryption.
“According to the 5th Circuit, those steps were sufficient to establish a mechanism, even if three employees failed to encrypt ePHI. The court basically took the position that the encryption specification was not a strict liability rule, and perfection, or ‘bulletproof protection,’ was not the standard,” Dunlap says. “This is helpful for HIPAA-covered entities and business associates trying to prove they took appropriate steps to comply with the encryption rule, or other HIPAA requirements, even if they could have done more.”
Second, the court ruled the definition of “disclosure” under the HIPAA rules requires “an affirmative act of disclosure” rather than “a passive loss of information.” To be a disclosure, someone outside the covered entity would need to access the ePHI. “This interpretation turns OCR’s longstanding position and prior guidance on the loss of PHI on its head. OCR has always taken the position that the loss of PHI is an impermissible disclosure,” Dunlap explains.
In fact, in OCR’s breach reporting form, “loss” is listed as one of the options. But apparently the 5th Circuit does not agree with that interpretation, accusing HHS of trying to “transmogrify” the regulation. “I imagine some HIPAA-covered entities and business associates will point to the 5th Circuit’s interpretation of ‘disclosure’ when evaluating whether there was an ‘unauthorized disclosure’ of PHI under HIPAA’s breach notification rule,” Dunlap says.
Third, the court ruled OCR’s decision to fine some covered entities for loss of PHI incidents and not others was inconsistent. The court noted that under bedrock principles of administrative law, agencies like OCR must “treat like cases alike.”
“OCR has always taken the position that it will evaluate each case on its individual facts,” Dunlap says. “But, in light of this decision, I imagine a more comparative standard will come into play in OCR investigations and settlement discussions moving forward.” Fourth, justices determined OCR’s calculations of penalties were wrong. Under the “reasonable cause” penalty tier, which is the second tier under HIPAA’s three-tiered penalty structure, the maximum fine for violations of an identical provision during a calendar year may not exceed $100,000. Before this decision, OCR had acknowledged it misinterpreted the statutory caps and published a notice that it would exercise its enforcement discretion to follow the $100,000 cap.
“While I don’t think OCR will exceed the statutory caps moving forward, I think this decision may prompt HIPAA-covered entities and business associates to push back on OCR’s penalty calculations and hefty settlement offers,” Dunlap says.
Refused to Interpret
The 5th Circuit criticized the ALJ who initially heard the case and the HHS Departmental Appeals Board, notes Arielle T. Miliambro, JD, partner with Frier Levitt in Pine Brook, NJ. The court ruled both “steadfastly refused to interpret the statutes at all.”
Miliambro notes the 5th Circuit interpreted the HIPAA Security Rule narrowly. The text of the regulation states a covered entity must “implement a mechanism to encrypt and decrypt” ePHI. Moreover, encryption is an addressable standard rather than a required one.
“The court found that while M.D. Anderson implemented various mechanisms to encrypt information in accordance with the requirements of HIPAA, certain employees did not use those mechanisms,” Miliambro says. “The court held that the regulation does not require that all [ePHI] be encrypted. Instead, the court reasoned, a mechanism must be in place to do so. In the court’s view, M.D. Anderson undisputedly had a mechanism, even if it could’ve or should’ve had a better one.”
Regarding whether loss of control of ePHI, such as through the misplacement of laptops or USB drives, constitutes a disclosure, Miliambro says the 5th Circuit adopted a largely textualist approach to interpreting the regulation. It held the government did not establish that a “disclosure” of PHI was made because the government could not show anybody outside the covered entity received the information on the lost devices.
“The court’s interpretation of ‘disclosure’ is narrow and, in the case of lost devices or records, serves to place a nearly insurmountable burden on HHS, establishing that someone outside of the covered entity actually received the information contained within,” Miliambro says. “This rationale has potentially significant ramifications.”
The 5th Circuit decision shows HHS does not have the final word when imposing penalties, according to Richard Sheinis, JD, partner with Hall Booth Smith in Charlotte, NC.
Sheinis says perhaps the best news for providers is the 5th Circuit’s clarification of the disclosure rule.5 Losing control of PHI does not necessarily mean the PHI was disclosed. “This will be an important factor for determining if there was a HIPAA breach when a medical provider loses control of PHI, but there is no evidence that it was accessed by an unauthorized person,” he says.
Focus on ePHI
Although there is good news in the 5th Circuit ruling, it also shows healthcare providers must pay close attention to ePHI and the changing expectations for protecting it, says Maria D. Garcia, JD, partner with Kozyak Tropin & Throckmorton in Miami.
“Providers have to be increasingly careful with how they safeguard ePHI to make sure they do not run afoul of any of the HIPAA rules,” Garcia says. “The interpretation of the HIPAA Privacy and Security Rules may vary. It is a good idea to make sure you have individuals in your provider organization who can tackle the understanding of those HIPAA rules so that your electronic information is protected as much as possible.”
The M.D. Anderson case highlights OCR’s focus on ePHI and the difficulty in protecting it.
“It is the best practice now to be cautious and try to find ways to protect electronic health information,” Garcia says. “The decision gives us guidance to everyday issues that we may face now, because so many employers carry health information on their person on their cellphones, laptops, or a USB device. Those devices should be encrypted, and it is important that providers work with experts who can analyze their specific situation.”
One of the Largest Penalties
The $4.3 million was one of the largest amounts imposed or secured in a voluntary settlement, notes Amy Leopard, JD, partner with Bradley in Nashville.
HHS had considered several factors in determining the CMP. First, the center’s 2011 security risk analysis indicated downloading ePHI was high risk and that no enterprise-wide encryption solution was in effect for laptop and mobile devices. Second, annual security reports in 2010 and 2011 showed the center had not mitigated the high risks for mobile media with encryption. Third, in 2011, the center reported lost or stolen mobile devices with ePHI to the University of Texas Police Department on 19 separate occasions. Fourth, unencrypted devices were used after the center had actual knowledge that encryption was needed to secure ePHI on mobile devices.
Leopard says the Fifth Circuit reasoned that under the disclosure rule, “disclosure” suggests an affirmative act, and it defied reason for HHS to argue that a covered entity acts to disclose information when someone steals it. The court allowed that HHS may issue a regulation to redefine the word, but not in an administrative adjudication.
The court also ruled that under the HIPAA encryption rule, the center was not required to warrant that ePHI was protected by encryption; rather, the obligation is limited to implementing a mechanism to encrypt ePHI. When HHS imposed the CMPs on M.D. Anderson, many large breaches reported to OCR (those affecting 500 or more individuals) involved the loss or theft of laptops. Since then, hackers have become responsible for many large breaches with their cyberattacks on healthcare systems.
“During the timeframe of these breaches, OCR investigated hundreds of large breaches involving the loss or theft of ePHI, most without penalty. This matter was hotly contested, and the center was willing to take the risk and endure five years of administrative adjudications and litigation to get this result,” Leopard says. “HIPAA enforcement actions will continue to be resolved primarily by informal means or settled through resolution agreements. OCR limited the HIPAA CMP amounts in 2019 under its Notice of Enforcement Discretion and has entered many resolution agreements at lower thresholds over the past year.”6
Safe Harbor Possible
Leopard also notes that on Jan. 5, Congress amended the Health Information Technology for Economic and Clinical Health (HITECH) Act to require OCR to consider whether covered entities and business associates implemented certain recognized security practices regarding cybersecurity during the prior 12 months.7 If so, those entities may fall within a safe harbor requiring consideration of smaller penalties and mitigation of remedies in resolution agreements.
“These developments provide welcome relief to entities who have implemented robust compliance safeguards but still face imminent and increased cyberthreats,” Leopard says. “But this case will influence strategies for dealing with investigations that occur after a large breach. We are going to question allegations of noncompliance with the disclosure rule and make arguments to the effect that the entity did not disclose or ‘lose control’ of the ePHI when those breaches involve lost or stolen PHI. We will continue to offer OCR mitigating factors and affirmative defenses to ensure any penalty discussions will be fair and consistent with similar violations.”
OCR recently released its HIPAA audit findings showing significant gaps in security rule compliance.8 OCR likely will have to pursue many more cases and continue focusing on security fundamentals until industry findings improve. “We hope to see more entities adopt recognized security practices such as NIST [National Institute of Standards and Technology] to thwart these attacks,” Leopard says. “The game plan should be security management of these cyberthreats by adopting recognized security frameworks and having effective security incident and breach response plans in place should those risks materialize.”
- University of Texas M.D. Anderson Cancer Center v. United States Department of Health and Human Services. U.S. Court of Appeals 5th Circuit. No. 19-60226. Jan. 14, 2021.
- HHS.gov. Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations. June 18, 2018.
- Department of Health and Human Services. Departmental Appeals Board, Civil Remedies Division. Director of the Office for Civil Rights v. The University of Texas MD Anderson Cancer Center. Docket No. C-17-854. Decision No. CR5111. June 1, 2018.
- HHS.gov. The Security Rule. Content last reviewed Sept. 23, 2020.
- 45 C.F.R. § 164.502(a).
- Department of Health and Human Services. 45 CFR Part 160. Notification of enforcement discretion regarding HIPAA civil money penalties. Federal Register. April 30, 2019.
- Congress.gov. HR 7898.
- HHS.gov. OCR issues audit report on health care industry compliance with the HIPAA rules. Dec. 17, 2020.
- Erin Dunlap, JD, Coppersmith Brockelman, Phoenix. Phone: (314) 255-5988. Email: email@example.com.
- Maria D. Garcia, JD, Partner, Kozyak Tropin & Throckmorton, Miami. Phone: (305) 728-2929. Email: firstname.lastname@example.org.
- Amy Leopard, JD, Partner, Bradley, Nashville. Phone: (615) 252-2309. Email: email@example.com.
- Arielle T. Miliambro, JD, Partner, Frier Levitt, Pine Brook, NJ. Phone: (973) 852-8379. Email: firstname.lastname@example.org.
- Richard Sheinis, JD, Partner, Hall Booth Smith, Charlotte, NC. Phone: (980) 859-0381. Email: email@example.com.