The 5th Circuit U.S. Court of Appeals in Louisiana has vacated the civil monetary penalties imposed on the University of Texas MD Anderson Cancer Center by the HHS’ Office for Civil Rights. The financial penalties were levied against MD Anderson in 2017 following an investigation of three data breaches at MD Anderson between 2012 and 2013.
All three data breaches involved the loss or theft of electronic equipment containing the electronic protected health information (ePHI) of patients. Two unencrypted USB thumb drives had been reported lost, and an unencrypted laptop computer was reported as stolen from the vehicle of an employee. In total, the ePHI of more than 33,000 individuals was potentially obtained by unauthorized individuals because of the three loss/theft incidents.
All three breaches could easily have been prevented had the devices been encrypted. OCR determined that the failure to encrypt the devices warranted a financial penalty which, based on the fee structure used by OCR at the time, was determined to be $1.3 million for the failure to encrypt and $3 million for the impermissible disclosure of ePHI.
MD Anderson contested the civil monetary penalties and appealed twice, but both times those appeals failed. The case went before an administrative law judge who ruled in favor of OCR. MD Anderson then petitioned the Court of Appeals, which ruled the civil monetary penalties were “arbitrary, capricious, and contrary to law.”
The Court of Appeals found four independent issues with the civil monetary penalties. The HIPAA Security Rule does require a mechanism for the encryption of ePHI to be implemented or alternate measures that provide an equivalent level of protection. However, at the time of the breach and for several years previously, MD Anderson had a mechanism for encryption in place. Employees had been provided with an IronKey that could be used to encrypt data on mobile devices and had given employees training on how to use it.
The Court of Appeals found that while the devices had not been encrypted, OCR had not established MD Anderson had not done enough to ensure ePHI was encrypted. A mechanism for encryption was in place, but three employees had failed to encrypt data.
The majority of the financial penalty was for impermissible disclosures of ePHI. The Court of Appeals found issue with the nature of the disclosures, and whether ePHI had actually been released to an outside entity. There was no proof that ePHI had been disclosed to an outside entity and the HIPAA Rules do not prohibit disclosures of ePHI to “any someone”.
The Court of Appeals also found issue with the decision to impose a penalty on MD Anderson and not other covered entities that had experienced similar loss/theft incidents involving unencrypted devices containing ePHI. The Court of Appeals cited a similar breach at Cedars-Sinai Health System, where an unencrypted laptop computer containing the ePHI of 33,000 patients was lost, yet no financial penalty was imposed. The Court of Appeals said in its ruling that no explanation was given by the government as to why one case attracted a financial penalty and the other did not.
Then there was an issue with the financial penalty amount, which MD Anderson believed to be excessive. The HHS interpreted the requirements of the HITECH Act of 2009 in a way that saw the penalties for HIPAA violations increased. The HHS subsequently reinterpreted the wording of the HITECH Act and published a Notice of Enforcement Discretion stating there had been a misinterpretation of the requirements of the HITECH Act and the maximum penalties were reduced in three of the four penalty tiers for both civil monetary penalties and settlements, including the “reasonable cause” tier which the alleged MD Anderson HIPAA violations fell under.
OCR had imposed the maximum fine of $1.5 million per year, when the new interpretation only allowed a maximum fine of $100,000 per year. The Notice of Enforcement Discretion was published in April 2019, and MD Anderson filed its third appeal after that date. After the case was appealed, OCR conceded that the maximum financial penalty that could be justified was $450,000 and requested the fine be reduced.
This is a notable ruling that could well have implications for other covered entities and business associates that choose to appeal HIPAA violation penalties and will also have implications for future OCR enforcement actions, especially cases where unencrypted devices containing ePHI have been lost or stolen.
Provided a mechanism for encryption has been implemented, the lack of encryption on specific devices would not be the fault of the entity. In terms of impermissible disclosures, OCR would be required to prove that ePHI had been disclosed to an external entity, which is very difficult in cases where a portable electronic device has been lost or stolen.
OCR has limited funds and resources available to pursue financial penalties, so tends to pick and choose the cases it pursues. The ruling calls OCR’s “arbitrary and capricious” approach into question and may require OCR to rethink the way it conducts HIPAA enforcement actions.