The U.S. Court of Appeals for the Fifth Circuit has vacated a $4.3 million civil monetary penalty that the Department of Health and Human Services levied against a covered entity in 2017, finding the fine was arbitrary, capricious, and contrary to law, and that HHS had not shown that the covered entity had violated the HIPAA rules. The HHS Office for Civil Rights imposed the fine on the University of Texas MD Anderson Cancer Center following three data breaches that occurred in 2012 and 2013.
MD Anderson reported three data breaches to HHS from 2012 to 2013. Two unencrypted USB drives were lost, and a laptop was stolen that was not encrypted or password protected. Combined, these incidents involved the electronic protected health information (ePHI) of over 34,000 individuals. HHS fined MD Anderson for violating provisions of HIPAA’s Privacy and Security Rules. The Security Rule requires HIPAA-regulated entities to “implement a mechanism to encrypt and decrypt” ePHI. The Privacy Rule prohibits unauthorized disclosure of PHI.
The Fifth Circuit concluded that HHS had not properly applied the HIPAA encryption and disclosure provisions to MD Anderson. The encryption rule is addressable (i.e., it does not necessarily apply to every entity), but its applicability here was not disputed. The court stressed that the rule only requires “a mechanism” for encryption. MD Anderson had a means of encryption and instructed employees to encrypt ePHI on portable devices, but the employees responsible for the loss of the unencrypted devices had not followed these instructions. The court determined that MD Anderson complied with the HIPAA rule because it had an encryption mechanism, and that the employees’ failure to abide by the mechanism (or MD Anderson’s failure to enforce its policies more rigorously) did not negate this. Having an encryption mechanism satisfied the rule, the court held, “even if [MD Anderson] could’ve or should’ve had a better one.”
The court also held that MD Anderson had not violated the disclosure rule. This rule prohibits the “disclosure” of PHI, meaning the “release, transfer, provision of access to, or divulging in any manner of [PHI] outside the entity holding the [PHI].” The court reasoned that the verbs used to define “disclosure” suggested (1) “an affirmative act of disclosure, not a passive loss of information,” and (2) that the disclosure was made to someone. Thus, the court concluded that to prove a violation of the disclosure rule, HHS would need to show that someone outside of MD Anderson actually accessed the PHI that was lost.
Lastly, the Fifth Circuit concluded that the penalty was arbitrary and capricious under the Administrative Procedure Act because it was inexplicably harsher than the penalties imposed in similar cases, and the per-year penalties imposed exceeded the applicable per-year penalty cap for HIPAA violations.
The Fifth Circuit’s narrow interpretation of HIPAA’s encryption and disclosure rules could set a high standard of proof for HHS (at least in the Fifth Circuit) when seeking to show violations of HIPAA by a covered entity. To prove a violation of the encryption provisions, HHS would need to show that an entity entirely lacked a mechanism for encryption – not merely that the entity failed to apply the mechanism perfectly in a particular instance or that the mechanism could have been more effective. To prove a violation of the disclosure rule, HHS would need to prove that someone outside the entity actually viewed, received, or otherwise accessed PHI – not just that an unauthorized individual could have accessed it. This requirement of affirmative disclosure may be very difficult for HHS to prove.
Other circuits may not follow the Fifth Circuit’s interpretation of these rules, but the opinion offers HIPAA-regulated entities several potentially persuasive arguments that could prove useful in litigating similar incidents elsewhere.