Encryption & Key Management , Governance & Risk Management , HIPAA/HITECH
Appeals Court Vacates $4.3 Million HIPAA Penalty
What's the Potential Impact on HIPAA Enforcement?In a ruling that could have a profound impact on HIPAA enforcement, a U.S. Court of Appeals has vacated a $4.3 million HIPAA civil monetary penalty levied by federal regulators against the University of Texas MD Anderson Cancer Center in the wake of three breaches involving unencrypted mobile devices. The court called the penalty "arbitrary, capricious and contrary to law."
See Also: Using the Netskope HIPAA Mapping Guide
In its ruling, the 5th Circuit U.S. Court of Appeals in Louisiana was critical of the Department of Health and Human Services Office for Civil Rights’ interpretation of HIPAA requirements and how it sets civil monetary penalties.
“The court’s opinion vacating the civil monetary penalty levied against MD Anderson raises a number of issues that challenge long-held assumptions on what the HIPAA privacy and security standards require,” says privacy attorney David Holtzman of the consultancy HITPrivacy LLC. "Just as significantly, the court ripped apart the processes that underpin the [HIPAA] enforcement approach."
The civil monetary penalty levied against MD Anderson in 2017 included $1.3 million for violations related to the failure to encrypt devices and $3 million for impermissible data disclosures related to three data breaches in 2012 and 2013.
One breach involved the theft of an unencrypted laptop from the residence of an MD Anderson employee; the others involved the loss of unencrypted USB thumb drives containing the unencrypted electronic protected health information on a total of over 33,000 individuals.
Encryption Was Available
Among the reasons for vacating the penalty, the court said that MD Anderson at the time of the incidents had in place a "mechanism" to encrypt PHI on mobile devices, but three employees failed to use the encryption control before the laptop and two USB drives vanished.
"MD Anderson furnished its employees an 'IronKey' to encrypt and decrypt mobile devices and trained its employees on how to use it. MD Anderson also implemented a mechanism to encrypt emails," the court said.
PHI 'Disclosures'
The court also took issue with whether PHI had actually been "released" as described in HIPAA’s unpermitted disclosure provisions as a result of the loss or theft of devices and also whether that information was, in fact, released to an "outside" entity in the incidents.
"It defies reason to say an entity affirmatively acts to disclose information when someone steals it," the court wrote, adding that HHS had no proof "that someone 'outside' MD Anderson received the ePHI. The disclosure rule does not prohibit disclosure to just any someone. The ePHI must be disclosed to someone 'outside' of the covered entity."
Levying Penalties
The court also criticized how HHS calculated the financial penalty.
“It is a bedrock principle of administrative law that an agency must 'treat like cases alike,'" the court wrote. Some other covered entities with similar breaches faced "zero financial penalties," the court said.
The court cited a breach involving a Cedars-Sinai Health System employee who lost an unencrypted laptop containing ePHI for more than 33,000 patients in a burglary. "HHS investigated and imposed no penalty at all," the court said. “"The government has offered no reasoned justification for imposing zero penalty on one covered entity and a multimillion-dollar penalty on another."
Civil Monetary Penalties Are Rare
In the resolution of most HIPAA enforcement cases that involve a financial payment by a breached entity, the payment is typically agreed to as part of a settlement or resolution agreement.
OCR generally imposes a civil monetary penalty, apart from a settlement or agreement, only in those cases that involve a lack of cooperation with investigators or the failure to take recommended steps to correct security deficiencies. As a result, OCR has announced only a handful of cases involving civil monetary penalties.
"The ruling undermines the entire OCR enforcement approach, indicating that it is arbitrary and capricious for OCR to select a few cases for financial enforcement if the result is that similar fact patterns are enforced differently."
—Adam Greene, Davis Wright Tremaine
MD Anderson had previously appealed the 2017 OCR penalty to a HHS administrative law judge, who in 2018 upheld the penalty. The cancer center appealed that decision to the 5th Circuit, which vacated the penalty Thursday.
Lowered Penalties
In its ruling, the appeals court says that two months after the administrative law judge ruling in MD Anderson’s first appeal, "HHS conceded that it had misinterpreted the statutory [penalty] caps. And it published a 'Notice of Enforcement Discretion Regarding HIPAA Civil Money Penalties' to explain its mea culpa."
In April 2019, HHS OCR announced it had revised its interpretation of the HITECH Act penalty caps, lowering fines for less egregious violations. That included cases involving civil monetary penalties as well as those in which OCR negotiates HIPAA settlements that include corrective actions "and monies in lieu of civil monetary penalties,” the agency said at the time (see: HHS Lowers Some HIPAA Fines.)
'Blockbuster' Decision
Privacy attorney Kirk Nahra of the law firm WilmerHale, says the court’s decision "is a bit of a blockbuster, as it goes after OCR's general approach to enforcement and severely limits the penalty ability of the agency."
Among the court's findings that could be contested by HHS is whether "a mere loss of unsecured protected health information is not a 'disclosure' of PHI defined by HIPAA," predicts regulatory attorney Paul Hales of the Hales Law Group.
"This has enormous implications. For example, loss or theft of an unencrypted laptop containing PHI is considered a reportable breach of unsecured PHI," he says. "In this case, HHS conceded it could not prove someone 'outside' MD Anderson received the lost unencrypted devices and PHI they contained. That logic would hamstring all enforcement activity regarding lost unencrypted laptops."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says the court’s decision "has a number of big impacts."
The ruling "essentially sets forth that a covered entity or business associate must implement a mechanism for encryption, but is not responsible for violating the HIPAA Security Rule if the workforce don’t use the mechanism," he says.
"The ruling undermines the entire OCR enforcement approach, indicating that it is arbitrary and capricious for OCR to select a few cases for financial enforcement if the result is that similar fact patterns are enforced differently."
Big Implications
The ruling could have a major impact on HHS OCR's HIPAA enforcement and potentially could trigger changes in the HIPAA regulations, Holtzman predicts.
"It will be more difficult for OCR to enforce the HIPAA privacy and security rule standards," he says. "If HHS chooses not to appeal this ruling, it may force OCR to propose changes to the HIPAA privacy or security rules. The agency will need to go back to the drawing board to set standards for when and how it pursues formal enforcement actions.
"The ruling in this case points to the need for the Congress to pass a privacy law which sets a single set of standards for the disclosure and safeguarding of personally identifiable information."
MD Anderson Statement
In a statement provided to Information Security Media Group, MD Anderson says it is grateful for the court’s "well-reasoned and thoughtful opinion."
MD Anderson adds: "Our purpose throughout this legal process has been to bring transparency, accountability and consistency to the OCR's enforcement process. As always, patient privacy remains of extreme importance at MD Anderson. We are committed to respecting HIPAA and the rules of protecting patient information, and we continually evaluate and enhance our data protection and privacy procedures to ensure our high standards are met."
OCR did not immediately respond to ISMG's request for comment on whether it plans to appeal the ruling.
Hales says that the court opinion was written by a three-judge panel of the 5th Circuit. "The next move by HHS if it wants to contest the opinion is to petition for review by all judges of 5th Circuit."