MD Anderson Wins Appeal Over $4.3 Million HIPAA Penalty – Lexology

Posted on by

On January 14, 2021, the United States Court of Appeals for the Fifth Circuit vacated a $4.3 million civil monetary penalty that the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) imposed against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson). OCR ordered the penalty in 2017 following an investigation into three data breaches suffered by M.D. Anderson in 2012 and 2013, finding that M.D. Anderson had violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information and Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The Court, however, held that the penalty was arbitrary, capricious, and otherwise unlawful, in part based on its interpretation of the HIPAA Rules.

The Court held that the HIPAA Security Rule does not mandate bulletproof protection of electronic protected health information (ePHI). Instead, the Court found that M.D. Anderson had adopted sufficient mechanisms to encrypt ePHI. It also held that the passive loss of information did not contravene certain of HIPAAs restrictions on the disclosure of ePHI. Finally, the Court concluded that HHSs penalty exceeded the statutory maximum and was inconsistent with other penalties imposed in similar situations. The Fifth Circuits decision may provide support for covered entities that seek to challenge penalties associated with HIPAA violations in the future and may invite HHS to consider revisions to its HIPAA enforcement regulations.

Background

The civil monetary penalties imposed against M.D. Anderson stem from three data breaches experienced in 2012 and 2013. The court record contained the following facts: An M.D. Anderson faculty members laptop was stolen in 2012. The laptop contained ePHI relating to almost 30,000 individuals and was not encrypted or password-protected. Then, in 2012 and 2013, two M.D. Anderson employees lost unencrypted USB thumb drives, both of which held ePHI for more than 5,000 individuals. In total, these breaches resulted in the unauthorized disclosure of ePHI for about 35,000 people.

After its investigation, OCR concluded that M.D. Anderson violated two provisions of the HIPAA Rules: (1) The failure to [i]mplement a mechanism to encrypt ePHI or adopt some other reasonable and appropriate method to limit access to patient data (which the court referred to as the Encryption Rule); and (2) the unpermitted disclosure of protected health information (which the court referred to as the Disclosure Rule). HHS also determined that M.D. Anderson had reasonable cause to know it violated these rules. As a result of this investigation, OCR imposed a $4.3 million dollar fine against M.D. Anderson. M.D. Anderson appealed the penalty to an administrative law judge (ALJ), who upheld the penalty in June 2018. HHSs Departmental Appeals Board (DAB) subsequently affirmed the ALJs decision, and M.D. Anderson sought judicial review from the United States Court of Appeals for the Fifth Circuit, which reviewed the case de novo. The Fifth Circuit vacated the ALJs ruling and held that OCRs enforcement actions were arbitrary, capricious, and unlawful for the following four reasons.

The Encryption Rule

The Encryption Rule, as part of the HIPAA Security Rule, requires a HIPAA-covered entity to [i]mplement a mechanism to encrypt and decrypt electronic protected health information or adopt some other reasonable and appropriate method to limit access to patient data. See 45 C.F.R. 164.312(a)(2)(iv). Upon reviewing the evidence, the Court found that M.D. Anderson had in fact implemented a mechanism. Specifically, M.D. Anderson required employees to sign an Acceptable Use Agreement acknowledging their obligation to encrypt protected health information and provided them with an IronKey to encrypt and decrypt mobile devices. M.D. Anderson also had a mechanism to encrypt emails and implemented mechanisms for file-level encryption. Although HHS argued that M.D. Anderson should have done more, pointing to internal documents that indicated M.D. Anderson wanted to strengthen its ePHI security, the Court rejected this irrational argument, noting that M.D. Andersons desire to do more in the future did not mean that it had failed to meet the Security Rules requirement to encrypt patient data in the past. Furthermore, the Court determined that the fact that the lost and stolen items were unencrypted was not evidence that M.D. Anderson lacked a mechanism for encryption. Instead, it simply meant that either these employees failed to abide by the mechanism or that M.D. Anderson failed to properly enforce the mechanism.

In vacating the penalties, the Court noted that the regulation requires only a mechanism for encryption. The Encryption Rule does not require that the mechanism provide bulletproof protection for all systems that contain ePHI; nor does it specify what form the mechanism should take. Entities may satisfy the Encryption Rules requirements by placing obligations on their employees through an Acceptable Use Agreement or providing tools to encrypt ePHI. The Court found that M.D. Anderson satisfied the requirement to have a mechanism and emphasized that if HHS wants to police just how herculean a covered entity must be in encrypting ePHI, the Government can propose a rule to that effect and attempt to square it with the statutes Congress enacted.

The Disclosure Rule

The Disclosure Rule, as part of the HIPAA Privacy Rule, prohibits covered entities from disclosing protected health information (PHI), including ePHI, unless it is disclosed in accordance with HIPAA. See 45 C.F.R. 164.502(a). HIPAA defines disclosure as the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. Id. 160.103. The ALJ had determined that M.D. Anderson released PHI, or in this instance ePHI, by losing control of it, thereby violating the Disclosure Rule. Under the ALJs interpretation, a covered entity violates the Disclosure Rule whenever it loses control of ePHI, regardless of whether anyone outside of the covered entity accesses it. However, the Fifth Circuit held that this interpretation of disclosure departed from the regulation in at least three ways.

In the present case, the Court found that the facts did not support a violation of the Disclosure Rule. The M.D. Anderson employees did not affirmatively disclose ePHI. Rather, employees merely lost the ePHI or had it stolen from them. In addition, HHS could not prove that any third party outside of the company had received the ePHI. Thus, there was no evidence to support that M.D. Anderson violated the Disclosure Rule. The Court rejected HHSs argument that its interpretation of disclosure would make it harder for the agency to enforce the regulation, noting that it was the sort of policy argument that HHS could vet in a rule making proceeding.

Failure to Impose Similar Penalties on Other Covered Entities

Highlighting the bedrock principle of administrative law that an agency treat like cases alike, the Fifth Circuit held that the ALJ had acted arbitrarily and capriciously by imposing high penalties against M.D. Anderson but not against other covered entities in similar circumstances. M.D. Anderson provided examples of other covered entities that similarly violated HHSs interpretation of the Encryption Rule and faced no financial penalty, such as one case where the covered entitys employee lost an unencrypted laptop containing ePHI of over 33,000 patients during a burglary, yet HHS chose to impose no penalty without any explanation. The Court emphasized that an administrative agency cannot hide behind the fact-intensive nature of penalty adjudications to ignore irrational distinctions between like cases.

Amount of Penalties Contradicted the Enforcement Rule

The Court acknowledged that penalties associated with violations of the Encryption Rule and the Disclosure Rule may vary depending on the level of culpability. The ALJ determined that M.D. Andersons violations were due to reasonable cause and not willful neglect, for which the HIPAA statute establishes the statutory cap on civil monetary penalties at no more than $100,000 per calendar year. See 42 U.S.C. 1320d-5(a)(1)(B), (a)(3)(B). Nevertheless, the ALJ determined the per-year statutory cap was $1,500,000, and assessed M.D. Andersons penalties for violating the Encryption Rule at $1,348,000 for 20112013 and for violating the Disclosure Rule at $3,000,000 for 20122013. The Court found the ALJs decision was arbitrary, capricious, and contrary to law, noting that even HHS had conceded it had misinterpreted the statutory caps by issuing a Notice of Enforcement Discretion Regarding HIPAA Civil Money Penalties only two months after the Departmental Appeals Board upheld the ALJs decision. In addition, the Court found that the ALJ had erroneously ignored HHSs own regulations outlining factors for the agency to consider in assessing penalties.

More here:
MD Anderson Wins Appeal Over $4.3 Million HIPAA Penalty - Lexology

Related Posts
This entry was posted in $1$s. Bookmark the permalink.