As the Biden administration begins detailing its regulatory and enforcement priorities, it faces a new challenge on the health data privacy and security front. In University of Texas M.D. Anderson Cancer Center v. United States Department of Health and Human Services, No. 19-60226 (5th Cir. 2021), the Fifth Circuit vacated a $4.3 million penalty against a covered entity, limited the U.S. Department of Health and Human Services’ (“HHS”) interpretation of two key data privacy and security regulations, and required the agency to consider penalties assessed against other similarly-situated covered entities when issuing new penalties for regulatory violations. The opinion is available here. As the following summary of key points from the decision makes clear, the opinion is a “win” for the concept of reasonable security, rather than perfect security, and new or revised HIPAA regulations might be forthcoming from the new administration in response.
This case arose after M.D. Anderson’s disclosure to HHS of three separate data breaches: a stolen laptop and two lost thumb drives. These breaches occurred in 2012 and 2013, and all devices contained unencrypted electronic protected health information (“ePHI”). After finding that M.D. Anderson had failed to meet its obligations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) by not encrypting the stolen laptop and lost flash drives and by not preventing the disclosure of such information, HHS imposed a civil monetary penalty of $4,348,000. After losing two levels of administrative appeals, M.D. Anderson appealed the ruling to the United States Court of Appeals for the Fifth Circuit.
The Court Concluded That HHS’s Monetary Penalty Violated the Administrative Procedure Act.
While the court sidestepped M.D. Anderson’s “principal argument” that it was not subject to HIPAA’s enforcement provision as a state agency, the court nonetheless concluded that HHS’s monetary penalty was arbitrary and capricious, thus violating the Administrative Procedure Act (“APA”), for four reasons.
The Court Gave the Biden Administration a Roadmap for Additional Rulemaking.
It remains to be seen whether the new administration will continue the aggressive enforcement approach that HHS has taken in recent years. If so, we could see new agency guidance or even official rule making that reflects the Fifth Circuit’s guidance articulated in M.D. Anderson. For example, when finding that M.D. Anderson had a “mechanism” for encryption, the court listed a variety of concepts the rule could have included but did not. It could have described “how effective a mechanism must be, how universally it must be enforced, or how impervious to human error or hacker malfeasance it must be.” Similarly, the court noted that while the concept of disclosure did not currently encompass passive disclosures of information without a recipient, it is “precisely the sort of policy argument that HHS could vet in a rulemaking proceeding.” In light of HHS’s December 2020 statement that it will continue its “HIPAA enforcement initiatives until health care entities get serious about identifying security risks,” the court appears to have provided the new administration with a road map for how it might revise its regulations should it wish to continue its current enforcement posture.