On January 14, the Fifth Circuit vacated the University of Texas M.D. Anderson Cancer Center’s (M.D. Anderson) $4.3 million fine for HIPAA violations arising from its loss of more than 35,000 individuals’ protected health information (PHI).
Data Incidents and Agency Response
In 2012, an M.D. Anderson faculty member’s unencrypted laptop containing electronic protected health information (ePHI) for 29,021 individuals was stolen. Later in 2012, an M.D. Anderson trainee lost an unencrypted USB thumb drive that contained ePHI for over 2,000 individuals. In 2013, a visiting researcher lost another unencrypted USB thumb drive that contained ePHI for nearly 3,600 individuals.
M.D. Anderson reported each breach to the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Following an investigation, OCR determined that M.D. Anderson violated two provisions of HIPAA: (1) the requirement to implement encryption or other reasonable mechanisms to protect ePHI (Encryption Rule); and (2) the prohibition against the disclosure of PHI other than as permitted or required by HIPAA (Disclosure Rule).
OCR assessed daily penalties for violations of each requirement, $1,348,000 for violations of the Encryption Rule and $1,500,000 for violations of the Disclosure Rule. The total penalty amounted to $4,348,000.
M.D. Anderson appealed the penalty to an HHS administrative law judge (ALJ) who sided with OCR, granting the government summary judgment and upholding the penalty. The ALJ refused to address M.D. Anderson’s constitutional or statutory arguments (stating that its authority extended only to enforcing HHS’s regulations—not interpreting statutes or the Constitution) and refused to consider M.D. Anderson’s argument that the penalty was arbitrary or capricious as compared to OCR’s handling of other, similar breaches of unsecured PHI. HHS’s Departmental Appeals Board agreed with the ALJ and upheld the granting of summary judgment.
Fifth Circuit Vacates Penalty
After working its way through two unsuccessful rounds of administrative appeals, M.D. Anderson petitioned the Fifth Circuit for review. After the petition was filed, OCR conceded that it could not defend its penalty and asked the court to reduce it to $450,000.
The Fifth Circuit held that OCR improperly applied the Encryption and Disclosure Rules and that the penalty violated the Administrative Procedure Act because it was arbitrary and capricious.
First, the court held that the Encryption Rule, rather than requiring covered entities to secure every system containing ePHI, requires entities to implement a mechanism to encrypt ePHI, which M.D. Anderson had done by (1) requiring its employees to sign agreements mandating employees to encrypt ePHI; and (2) deploying and making available to personnel software and training for the encryption of emails and systems containing PHI. The court held that three employees’ failure to use these mechanisms and M.D. Anderson’s failure to enforce its encryption rules was not a violation of the Encryption Rule.
Second, the court held that the Disclosure Rule prohibits only an affirmative act of disclosure, not a passive loss of information, and a violation of the rule requires that the information be disclosed to a third party. Here, the court held that the three breaches resulted from passive losses of information and there was no evidence that the ePHI had been disclosed to a third party.
Finally, the court held that the penalty amount was unreasonable because it was inconsistent with HHS’s treatment of other passive disclosures (pointing to an example where a Cedars-Sinai employee lost an unencrypted laptop containing ePHI for over 33,000 patients and HHS did not impose a penalty) and because it exceeded a statutorily mandated $100,000 yearly cap for such penalties.
While the Fifth Circuit has made clear that current regulations do not require perfection, the M.D. Anderson decision highlights the importance of covered entities taking proactive steps to ensure demonstrable encryption mechanisms are in place before any data losses occur. The court relied on evidence of M.D. Anderson’s implementation of encryption tools, creation of encryption policies for its employees, and training its employees on the use of encryption tools to find that M.D. Anderson had complied with the implementation specifications of the Encryption Rule regardless of certain employees’ subsequent failure to abide by its policies. It is paramount that all covered entities have these necessary encryption mechanisms and policies in place to protect themselves from long battles with agencies, reputational damage, and costly patient class-action suits.
If you have any questions about the M.D. Anderson decision and implementing data breach prevention protocols, please contact the authors.