As the Biden administration begins detailing its regulatory and enforcement priorities, it faces a new challenge on the health data privacy and security front. In University of Texas M.D. Anderson Cancer Center v. United States Department of Health and Human Services, No. 19-60226 (5th Cir. 2021), the Fifth Circuit vacated a $4.3 million penalty against a covered entity, limited the U.S. Department of Health and Human Services’ (“HHS”) interpretation of two key data privacy and security regulations, and required the agency to consider penalties assessed against other similarly-situated covered entities when issuing new penalties for regulatory violations. The opinion is available here. As the following summary of key points from the decision makes clear, the opinion is a “win” for the concept of reasonable security, rather than perfect security, and new or revised HIPAA regulations might be forthcoming from the new administration in response.
This case arose after M.D. Anderson’s disclosure to HHS of three separate data breaches: a stolen laptop and two lost thumb drives. These breaches occurred in 2012 and 2013, and all devices contained unencrypted electronic protected health information (“ePHI”). After finding that M.D. Anderson had failed to meet its obligations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) by not encrypting the stolen laptop and lost flash drives and by not preventing the disclosure of such information, HHS imposed a civil monetary penalty of $4,348,000. After losing two levels of administrative appeals, M.D. Anderson appealed the ruling to the United States Court of Appeals for the Fifth Circuit.
The Court Concluded That HHS’s Monetary Penalty Violated the Administrative Procedure Act.
While the court sidestepped M.D. Anderson’s “principal argument” that it was not subject to HIPAA’s enforcement provision as a state agency, the court nonetheless concluded that HHS’s monetary penalty was arbitrary and capricious, thus violating the Administrative Procedure Act (“APA”), for four reasons.
- The Encryption Rule does not require “bulletproof protection.” The Encryption Rule states, in relevant part, that a HIPAA-covered entity must “[i]mplement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv) (emphasis added). The court found that HHS wrongly concluded that M.D. Anderson had failed to implement an encryption mechanism because M.D. Anderson had in fact implemented a “mechanism”—its Acceptable Use Policy required portable devices be encrypted and it provided employees with tools and training to do just that. According to the court, the fact that the employees failed to use these encryption tools in these three instances (or that M.D. Anderson did not enforce the encryption mechanism rigorously enough) was not a violation of the Encryption Rule. “[The Encryption Rule] does not require a covered entity to warrant that its mechanism provides bulletproof protection of ‘all systems containing ePHI.’” Additionally, the court noted that just because M.D. Anderson could have done or would like to do more to encrypt and protect ePHI in the future does not mean that it failed to provide a “mechanism” for encryption.
- The Disclosure Rule does not penalize the passive loss of information, particularly when there is no clear recipient outside of the covered entity. As the court noted, the Disclosure Rule, “[w]ith exceptions not relevant here . . . prohibits a covered entity from ‘disclosing’” 45 C.F.R. § 164.502(a). The court rejected HHS’s argument that a covered entity violates the Disclosure Rule any time it loses control of ePHI, regardless of whether any third party accesses the PHI. Instead, in a strictly textual interpretation of the rule, the court found that: (i) “disclosure” requires an affirmative act rather than the “passive loss of information;” and (ii) there must be someone outside of the covered entity who received the information. Because M.D. Anderson did not affirmatively transfer, provide, or act to set free the PHI, and because HHS conceded it could not prove someone “outside” of M.D. Anderson received the information, the court found it was arbitrary and capricious to conclude there had been a disclosure of ePHI. In contrast, the court noted that an email sent to an erroneous recipient could constitute a “disclosure” because it required an affirmative act of transmitting the email to a recipient, even though the recipient was unintended. See generally 45 C.F.R. §160.103 (HIPAA definition of “disclosure” — “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information”).
- HHS must consider whether penalties assessed in one action are consistent with those assessed in similar actions. While the agency must evaluate each case on its facts, the court reminded the agency it must also “treat like cases alike.” Here, the court found that the agency failed to analyze whether the penalties assessed against M.D. Anderson were consistent with similarly-situated covered entities, and M.D. Anderson proffered examples of analogous cases to demonstrate that the penalty imposed was an unexplained outlier. The court concluded that the agency’s failure to consider this evidence was a violation of the APA.
- HHS must ensure its penalties are consistent with the statutory caps set by Congress. In a point that was largely moot by the time the court issued its ruling, HHS’s penalty in this case did not appear to be consistent with the statutory caps for penalties attributable to “reasonable cause” rather than “willful neglect.” Two months after HHS’s decision in this case, HHS conceded it had misinterpreted the statutory caps and released a notice of enforcement discretion that it would follow those caps. As such, HHS had already reduced the penalty in this case to $450,000.
The Court Gave the Biden Administration a Roadmap for Additional Rulemaking.
It remains to be seen whether the new administration will continue the aggressive enforcement approach that HHS has taken in recent years. If so, we could see new agency guidance or even official rule making that reflects the Fifth Circuit’s guidance articulated in M.D. Anderson. For example, when finding that M.D. Anderson had a “mechanism” for encryption, the court listed a variety of concepts the rule could have included but did not. It could have described “how effective a mechanism must be, how universally it must be enforced, or how impervious to human error or hacker malfeasance it must be.” Similarly, the court noted that while the concept of disclosure did not currently encompass passive disclosures of information without a recipient, it is “precisely the sort of policy argument that HHS could vet in a rulemaking proceeding.” In light of HHS’s December 2020 statement that it will continue its “HIPAA enforcement initiatives until health care entities get serious about identifying security risks,” the court appears to have provided the new administration with a road map for how it might revise its regulations should it wish to continue its current enforcement posture.