Landmark HIPAA Decision May Upend OCR's Historical Enforcement Approach

The U.S. Court of Appeals for the Fifth Circuit has vacated a $4.3 million HIPAA civil money penalty (“CMP”) imposed on the University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) in 2017.

The CMP was imposed following an investigation of notices to OCR in 2012 and 2013 of three breaches involving the loss of two unencrypted flash drives and theft of an unencrypted laptop computer, all containing electronically protected health information (ePHI), of 34,883 individuals. Consistent with the most common enforcement approach, OCR sought resolution of alleged HIPAA noncompliance identified during the investigation but the parties failed to reach a settlement agreement. As a result, OCR imposed a rare CMP.

M.D. Anderson appealed the CMP imposition to the internal HHS Administrative Hearing process and the CMP was penalty upheld.  M.D. Anderson filed a petition with 5th U.S. Circuit Court of Appeals to consider whether HHS acted outside its authority under the Administrative Procedure Act,   and the court released its decision on January 14 of this year.  M.D. Anderson did not argue that it had not violated HIPAA, but instead that the enforcement action and imposition of a CMP were outside of HHS’s administrative authority as permitted under the Administrative Procedure Act, 5 U.S.C. § 551, et. seq. (1946) (“APA”).

Crash course in U.S. Agency administrative processes, specifically HHS: As we all know, Congress enacts the laws, referred to as Statutes.  If directed by Statute, the law is implemented in regulations through rule-making authority and processes of the applicable agency.  After that, the agency, such as HHS, is tasked with enforcement of the regulations and the  APA sets the scope of an agency’s authority.   Among other APA boundaries, an agency is prohibited from acting in a manner that is “arbitrary, capricious, an abuse of discretion or otherwise not in accordance with the law.”  5 U.S.C. § 706(2); see Windsor Place v. U.S. Dep’t of Health & Hum. Servs., 649 F.3d 293, 297 (5th Cir. 2011) (per curiam).   

The Fifth Circuit’s decision, including issues not ruled upon, raises some interesting questions regarding the future path of HHS’s administrative processes and enforcement actions.  While the court did not consider any OCR published “guidance”, it also did not state whether such “guidance” may be considered in an enforcement action. The court interpreted and applied HIPAA’s standards based solely on a strict reading of the regulations.     

The  Fifth Circuit considered M.D. Anderson’s argument that HHS acted outside its legal authority under the APA, acting ultra vires, in its regulatory implementation, enforcement action against M.D. Anderson, and perceived interpretation of the regulations and exercise of judgment. 

M.D. Anderson had argued it was a state agency and not a “person” subject to the HIPAA enforcement rule.  M.D. Anderson argued that the HHS regulations implemented through its rule-making authority improperly expanded HIPAA’s statutory law by defining a “person” regulated by HIPAA as including state agencies when the HIPAA statute itself did not include such a definition.  An APA challenge was the basis of the decision of the United States District Court for the District of Columbia in Ciox Health, LLC v. Azar, 435 F.Supp.3d 30 (D.D.C. 2020), in which the District Court noted HHS’s authority to implement HIPAA through regulation is limited by the clear and plain language of the regulation and “an agency's general rulemaking authority cannot be used to expand a congressionally imposed restriction.”  Ciox * 65. However, the Fifth Circuit declined to address this argument and assumed that M.D. Anderson was a “person” covered by HIPAA’s enforcement rule.  For the many state agencies previously subjected to CMPs through HHS enforcement actions, this could have been a critical decision, and may continue to be if either party seeks review by the United States Supreme Court. 

The Fifth Circuit did decide that HHS exceeded its authority in imposing the CMP and found that imposition of the CMP against M.D. Anderson was outside of HHS’s authority as “arbitrary, capricious, and otherwise unlawful,” for the four reasons discussed below.  

HIPAA’s Encryption “Rule.” As one of several “addressable” Security Rule Standards, HIPAA-covered entity must, as reasonable and appropriate, “[i]mplement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv).  Although it is widely assumed that HIPAA expressly requires encryption, the addressable nature of this standard means that covered entities can use alternative means of protecting data, although encryption is undoubtedly the industry-standard approach.  Because M.D. Anderson HIPAA had policies that identified encryption as an operating requirement and because it had implemented encryption across the organization, HHS argued that the fact that a stolen laptop and 2 USB drives were unencrypted was evidence of a violation of the Encryption Rule.  The court found that HHS’s expansion of the clear language of the regulation to require more than specified in the regulation was outside its authority.  “Herculean” efforts are not required by the regulation. 

“The regulation requires only ‘a mechanism’ for encryption. It does not require a covered entity to warrant that its mechanism provides bulletproof protection of ‘all systems containing ePHI.’ Nor does it require covered entities to warrant that all ePHI is always and everywhere “inaccessible to unauthorized users.” Nor does the regulation prohibit a covered entity from creating “a mechanism” by directing its employees to sign an Acceptable Use Agreement that requires encryption of portable devices. Nor does it say that providing employees an IronKey is insufficient to create a compliant mechanism. Nor does it say anything about how effective a mechanism must be, how universally it must be enforced, or how impervious to human error or hacker malfeasance it must be. The regulation simply says “a mechanism.” M.D. Anderson undisputedly had ‘a mechanism,’ even if it could’ve or should’ve had a better one. So M.D. Anderson satisfied HHS’s regulatory requirement, even if the Government now wishes it had written a different one.” MD Anderson at *11.

The Disclosure Rule. HIPAA provides that “A covered entity or business associate may not use or disclose protected health information, except as permitted or required by [the Privacy Rule].”  45 CFR § 164.502  With exceptions not relevant to M.D. Anderson’s situation, the Disclosure Rule prohibits a covered entity from the “disclosure” -- i.e., the “release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.”

The Fifth Circuit interpreted these verbs as describing action rather than a passive loss of information and transitive, meaning in order to disclose information, there must be someone to receive it outside the entity. According to the court’s rule, it saw no way to prove “that M.D. Anderson ‘disclosed’ ePHI without proving that someone ‘outside’ the entity received it. And [HHS] concedes it cannot meet that standard.” MD Anderson at *10.

Arbitrary and capricious enforcement of CMP. “It is a bedrock principle of administrative law that an agency must ‘treat like cases alike,’” MD Anderson at *11 (citing Nat’l Cable & Telecomms. Ass’n v. Brand X Internet Servs., 545 U.S. 967, 981 (2005)).  Therefore, the court held, the administrative law judge’s (ALJ) decision that HHS can enforce penalties on some and not others is unreasonable and inconsistent. The court cites the example of a Cedars-Sinai employee who lost an unencrypted laptop containing ePHI in a burglary, and after investigating, HHS imposed no penalty at all on Cedars-Sinai. HHS ruled that there is no justification for HHS’s application of its “enforcement discretion” in assessing penalties discriminately or randomly.  

Per-year penalty caps. In May 2019, HHS exercised its “enforcement discretion” to modify the penalty structure to reduce penalties for penalty categories, including “reasonable cause” and “willful neglect.” The 2017 CMP previously imposed upon M.D. Anderson by HHS was in excess of the revised penalty structure.  Although the conduct and CMP imposition preceded the May 2019 regulatory revision, the Fifth Circuit found that the revised penalty structure would apply to  M.D. Anderson.   The revision, as the court pointed out, was necessary because the prior structure was contrary to the HIPAA statute and its revision was required and not an exercise of “enforcement discretion.” HHS voluntarily reduced the penalty to 10% of its prior amount based on application of the revised penalty structure.  As a result, this would require HHS to adhere to the annual penalty caps as revised by Congress. And, for reasonable cause violations, that annual amount may not exceed $100,000; M.D. Anderson was instead charged $1,348,000 over the calendar years 2011, 2012, and 2013 for violating the Encryption Rule and $3,000,000 for calendar years 2012 and 2013 for violating the Disclosure Rule, far exceeding Congress’s limits.

The Fifth Circuit’s ruling raises a number of questions, including:

• What role, if any, does published HHS/OCR guidance play in enforcement decisions?
• Will Covered Entities be held to the standards set out in HHS OCR guidance if the guidance is beyond the scope of the plain language of the regulation?
• In an investigation following a breach, if the incident arose from an anomaly, as opposed to systemic non-compliance, can the Covered Entity be found liable under HIPAA?
• In an investigation following a breach, can the Covered Entity find that no impermissible disclosure occurred if there is no information from which HHS could find that an outside entity actually received the PHI?
• Will the “arbitrary and capricious” ruling result in more fines against Covered Entities in situations formerly enforced through technical advice or voluntary corrective action?
• Will the ruling regarding penalty structure result in correction of prior settlement agreement amounts or the few other CMPs imposed on Covered Entities in the past?

The case has been remanded to a lower court for further proceedings.  In the meantime, HHS has continued with its active issuance of enforcement settlements, including one announced with a day of the MD Anderson decision.  A complementary post about that matter can be found here.

To read the court’s full opinion, go here.

Read more HIPAA-related content from Waller here.