On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit vacated a penalty imposed by the U.S. Office of Civil Rights (“OCR”) on the University of Texas M.D. Anderson Cancer Center (“MD Anderson”). The Court’s opinion could mark a significant reduction in the authority and discretion of OCR and tip the balance in favor of covered entities and business associates facing investigations and potential sanctions for alleged HIPAA violations.
The case arose from three separate but similar incidents occurring in 2012 and 2013, each involving the loss of an electronic device containing unencrypted electronic protected health information.In total, information involved in the loss related to approximately 34,000 individuals, and while M.D. Anderson had provided its employees with access to encryption technology, the technology had not been employed in these three instances.
In 2017, OCR’s investigation into the incidents found that M.D. Anderson had failed to implement a mechanism to encrypt the protected health information in compliance with its own written encryption policies and in response to its risk analyses that had found that the lack of device-level encryption posed a high risk to the security of protected health information. OCR imposed daily penalties for each day that the data had not been encrypted (finding separate daily violations) of $1.348 million, a penalty of $1.5 million for the violation of the disclosure rule in 2012 and $1.5 million for disclosure rule violations in 2013, for a total of $4.348 million. An administrative law judge (“ALJ”) upheld the penalties, as did the HHS Departmental Appeals Board. M.D. Anderson appealed.
After M.D. Anderson filed its appeal, OCR on its own initiative reduced the penalty to $450,000.The United States Court of Appeals for the Fifth Circuit, who undertook a de novo review, determined that even the reduced penalty was improper under the federal Administrative Procedures Act and vacated the ALJ’s ruling.The Court made four key findings:
- M.D. Anderson appropriately implemented a mechanism to encrypt electronic protected health information. While OCR argued that M.D. Anderson’s failure to encrypt the lost devices violated the HIPAA Security Rule, the Court disagreed and found that M.D. Anderson complied with the Security Rule by implementing “a mechanism to encrypt electronic protected health information” and providing its employees with access to encryption technology. Notably, the Court pointed out that the Security Rule does not command that the supplied mechanism for encryption be perfectly applied in every situation and that a single failure to encrypt a device in a particular instance, if the technology to encrypt is available, does not amount to a violation of the rule.
- There was no evidence that protected health information was impermissibly “disclosed”. The Court found that there was no evidence that any unauthorized person had received or viewed protected health information on the lost devices. In contrast, OCR has long taken the position that loss of a device with unsecured protected health information is deemed an improper disclosure, regardless of whether there is evidence that an unauthorized person actually accessed the information. The Court disagreed and held that the loss alone cannot be equated with an affirmative disclosure of data. The Court ruled that OCR bears the burden of proving that some unauthorized person received the information. Because OCR could not prove this, the Court concluded that M.D. Anderson did not make an unauthorized disclosure of unsecured protected health information.
- OCR’s penalty was arbitrary and capricious. The Court found M.D. Anderson’s penalty to be arbitrary and capricious compared to the wide variation in penalties and settlements imposed by OCR in similar cases. The ALJ who heard M.D. Anderson’s initial appeal ruled that neither he nor OCR were obligated to impose a penalty based on prior enforcement actions and that each case could stand alone without any comparison to prior decisions. The Court emphatically rejected that approach, noting that “it is a bedrock principle of administrative law that an agency must treat like cases alike.” The Court noted that in another case, a hospital lost an encrypted laptop that contained protected health information of 33,000 patients and that OCR had not imposed any penalty. The Court stated that such variation in treatment of similar cases is prohibited by the Administrative Procedures Act.
- OCR’s penalties were in excess of amounts authorized by HIPAA. OCR imposed millions in penalties against M.D. Anderson despite having determined that the alleged violations were due to “reasonable cause” and not willful neglect. The Court read the HITECH Act as capping total annual penalties for a violation of any one requirement or prohibition based on reasonable cause at $100,000. The Court further rendered the penalty ruling arbitrary and capricious and a violation of the Administrative Procedure Act because the lost devices did not cause physical, financial, or reputational harm to any person and did not hinder any person’s ability to obtain health care.
The Court’s ruling in M.D. Anderson is significant for covered entities and business associates because the ruling supports that: (1) a failure to encrypt protected health information on a particular device or devices will not prove a violation of the encryption standard if encryption technology is made generally available to members of the workforce, even if some members of the workforce do not use the offered technology; (2) lost information should not be considered “disclosed data” absent proof that an unauthorized person actually obtained the information; (3) OCR must now justify penalties imposed in relationship to penalties or settlements in like cases; and (4) OCR’s ability to access multimillion dollar penalties in cases that do not involve willful neglect has been reduced. It remains to be seen whether the Fifth Circuit’s reasoning will be adopted by other circuit courts when evaluating HIPAA violations. Nevertheless, this is a notable victory for covered entities and should lead to a more reasoned enforcement process going forward.