Perfection Not Required: Fifth Circuit Vacates HHS OCR $4.3 Million Penalty for Potential Data Breach Case

Bass, Berry & Sims PLC
Contact

Bass, Berry & Sims PLC

On January 14, the Fifth Circuit vacated the University of Texas M.D. Anderson Cancer Center’s (M.D. Anderson) $4.3 million fine for HIPAA violations arising from its loss of more than 35,000 individuals’ protected health information (PHI).

Data Incidents and Agency Response

In 2012, an M.D. Anderson faculty member’s unencrypted laptop containing electronic protected health information (ePHI) for 29,021 individuals was stolen. Later in 2012, an M.D. Anderson trainee lost an unencrypted USB thumb drive that contained ePHI for over 2,000 individuals. In 2013, a visiting researcher lost another unencrypted USB thumb drive that contained ePHI for nearly 3,600 individuals.

M.D. Anderson reported each breach to the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Following an investigation, OCR determined that M.D. Anderson violated two provisions of HIPAA: (1) the requirement to implement encryption or other reasonable mechanisms to protect ePHI (Encryption Rule); and (2) the prohibition against the disclosure of PHI other than as permitted or required by HIPAA (Disclosure Rule).

OCR assessed daily penalties for violations of each requirement, $1,348,000 for violations of the Encryption Rule and $1,500,000 for violations of the Disclosure Rule. The total penalty amounted to $4,348,000.

M.D. Anderson appealed the penalty to an HHS administrative law judge (ALJ) who sided with OCR, granting the government summary judgment and upholding the penalty. The ALJ refused to address M.D. Anderson’s constitutional or statutory arguments (stating that its authority extended only to enforcing HHS’s regulations—not interpreting statutes or the Constitution) and refused to consider M.D. Anderson’s argument that the penalty was arbitrary or capricious as compared to OCR’s handling of other, similar breaches of unsecured PHI. HHS’s Departmental Appeals Board agreed with the ALJ and upheld the granting of summary judgment.

Fifth Circuit Vacates Penalty

After working its way through two unsuccessful rounds of administrative appeals, M.D. Anderson petitioned the Fifth Circuit for review. After the petition was filed, OCR conceded that it could not defend its penalty and asked the court to reduce it to $450,000.

The Fifth Circuit held that OCR improperly applied the Encryption and Disclosure Rules and that the penalty violated the Administrative Procedure Act because it was arbitrary and capricious.

First, the court held that the Encryption Rule, rather than requiring covered entities to secure every system containing ePHI, requires entities to implement a mechanism to encrypt ePHI, which M.D. Anderson had done by (1) requiring its employees to sign agreements mandating employees to encrypt ePHI; and (2) deploying and making available to personnel software and training for the encryption of emails and systems containing PHI. The court held that three employees’ failure to use these mechanisms and M.D. Anderson’s failure to enforce its encryption rules was not a violation of the Encryption Rule.

Second, the court held that the Disclosure Rule prohibits only an affirmative act of disclosure, not a passive loss of information, and a violation of the rule requires that the information be disclosed to a third party. Here, the court held that the three breaches resulted from passive losses of information and there was no evidence that the ePHI had been disclosed to a third party.

Finally, the court held that the penalty amount was unreasonable because it was inconsistent with HHS’s treatment of other passive disclosures (pointing to an example where a Cedars-Sinai employee lost an unencrypted laptop containing ePHI for over 33,000 patients and HHS did not impose a penalty) and because it exceeded a statutorily mandated $100,000 yearly cap for such penalties.

Takeaway

While the Fifth Circuit has made clear that current regulations do not require perfection, the M.D. Anderson decision highlights the importance of covered entities taking proactive steps to ensure demonstrable encryption mechanisms are in place before any data losses occur. The court relied on evidence of M.D. Anderson’s implementation of encryption tools, creation of encryption policies for its employees, and training its employees on the use of encryption tools to find that M.D. Anderson had complied with the implementation specifications of the Encryption Rule regardless of certain employees’ subsequent failure to abide by its policies. It is paramount that all covered entities have these necessary encryption mechanisms and policies in place to protect themselves from long battles with agencies, reputational damage, and costly patient class-action suits.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bass, Berry & Sims PLC | Attorney Advertising

Written by:

Bass, Berry & Sims PLC
Contact
more
less

Bass, Berry & Sims PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.