On January 15, 2021, the Fifth Circuit vacated a $4.3 million penalty that the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) had issued against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) in 2017. OCR initially levied the penalty against M.D. Anderson after the hospital disclosed three separate security incidents in which unencrypted devices containing electronic personal health information (ePHI) were stolen or lost in 2012 and 2013. OCR had determined that M.D. Anderson violated the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules. Specifically, OCR had determined that M.D. Anderson violated HIPAA’s encryption provisions from the Security Rule because it did not have an appropriate mechanism to encrypt ePHI, and HIPAA’s use and disclosure principles in the Privacy Rule, which prohibit the unpermitted disclosure of ePHI. An administrative law judge (ALJ) upheld OCR’s ruling in 2018, which led M.D. Anderson to appeal to the Fifth Circuit.
The Fifth Circuit disagreed with OCR’s (and the ALJ’s) interpretation of both the encryption and disclosure provisions, and also determined that the penalty issued by the agency was “arbitrary, capricious, and otherwise unlawful.” Regarding the encryption provisions, the Fifth Circuit found that M.D. Anderson satisfied the requirements of the Security Rule despite the fact that 1) M.D. Anderson’s own documentation indicated that they wanted to strengthen their encryption program, and 2) the three devices that were subject to unauthorized access (and were reported to OCR) were not encrypted. The court noted that the HIPAA Security Rule “requires only ‘a mechanism’ for encryption. It does not require a covered entity to warrant that its mechanism provides bulletproof protection of ‘all systems containing ePHI.’ Nor does it require covered entities to warrant that all ePHI is always and everywhere ‘inaccessible to unauthorized users.’”
With regard to the disclosure provisions of the HIPAA Privacy Rule, the Fifth Circuit focused its analysis on the definition of the word “disclosure” in the HIPAA regulations and noted that HHS’s definition of the word implied that a disclosure referred to an affirmative act, not a passive loss of information. According to the Fifth Circuit, “It defies reason to say an entity affirmatively acts to disclose information when someone steals it.” The Fifth Circuit also noted that HHS’s definition of disclosure implied that someone must have received the information, which would require it to be made known to someone. Lastly, the Fifth Circuit noted that the Privacy Rule states that the disclosure of ePHI must be made to someone outside of the covered entity, which OCR could not prove to be the case.
Along with the encryption and disclosure provisions, the Fifth Circuit also challenged M.D. Anderson’s disparate treatment compared to other OCR investigations and the penalty amount that OCR levied against the hospital. On the disparate treatment point, the Fifth Circuit noted that M.D. Anderson had proffered examples of other covered entities that had violated the HIPAA rules regarding encryption but had not faced any comparable financial ramifications. The court agreed with OCR that each individual case requires an assessment of the unique facts but also stated that “an administrative agency cannot hide behind the fact-intensive nature of penalty adjudications to ignore irrational distinctions between like cases.” On the penalty amount itself, the Fifth Circuit stated that Congress had issued a per-year cap for all reasonable cause violations of $100,000, not the $1.5 million issued by OCR in this case.
We expect this decision to have a meaningful impact on OCR investigations going forward. The decision will make it harder for OCR to pursue specific regulatory violations and may impact how OCR historically has evaluated compliance. Throughout the HIPAA period, in addition to considering whether an entity has a policy in place to meet the requirements of the HIPAA rules, OCR also looks at 1) the effectiveness of those policies and whether they meet industry-wide standards, 2) an entity’s response to an incident, and 3) the entity’s history of prior issues, if any. This decision may make it more difficult for OCR to implement this holistic approach. As with the LabMD decision in the Eleventh Circuit (which rejected the Federal Trade Commission’s approach to a particular resolution of a security breach investigation), M.D. Anderson’s victory in this case may also encourage other covered entities subject to HIPAA investigations to challenge OCR’s decisions in informal settlement proceedings and to pursue court action where appropriate.