On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit vacated the civil monetary penalty (CMP) imposed by the Department of Health and Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) in 2017. The court stated that HHS “offered no lawful basis for its civil monetary penalties against M.D. Anderson” and HHS’ “decision was arbitrary, capricious, and contrary to law.”
Between 2012 and 2013, M.D. Anderson notified HHS of three separate HIPAA breaches, all involving lost or stolen mobile devices, affecting the electronic protected health information (ePHI) of approximately 35k patients. After conducting an investigation, HHS imposed a civil monetary penalty (CMP) of $4,348,000 on M.D. Anderson.
HHS had found that M.D. Anderson violated federal laws requiring HIPAA regulated entities to “[i]mplement a mechanism to encrypt” ePHI or adopt another “reasonable and appropriate” method to limit access to patient data and prohibit the unpermitted disclosure of PHI. See 45 C.F.R. §§ 164.306; 164.312(a)(iv); 164.502(a). HHS also determined that M.D. Anderson had “reasonable cause” to know it had violated such laws. HHS assessed daily penalties totaling $1,348,000 for the encryption violations, $1,500,000 for the unpermitted disclosure of ePHI in 2012, and $1,500,000 for the unpermitted disclosure of ePHI in 2013, for the resulting $4,348,000 CMP.
M.D. Anderson unsuccessfully appealed the CMP through two levels of administrative appeals at the HHS Departmental Appeals Board (first to an Administrative Law Judge (ALJ) and then to the Appellate Division of the HHS Departmental Appeals Board). The ALJ, in the first administrative appeal in 2018, refused to consider whether the CMP was arbitrary or capricious, despite M.D. Anderson’s argument that the CMP imposed on other HIPAA-regulated entities in instances of loss of PHI were far more lenient than the CMP imposed on M.D. Anderson. The ALJ had stated “I do not evaluate penalties based on a comparative standard. There is nothing in the regulations that suggests that I do so.” The Appellate Division of the HHS Departmental Appeals Board in 2019 issued an opinion agreeing with the ALJ’s determination.
M.D. Anderson then petitioned the Fifth Circuit for review. HHS conceded that it could not defend the $4,348,000 CMP after M.D. Anderson filed its petition to the Fifth Circuit and asked to reduce the CMP to $450,000.
The Fifth Circuit found that the CMP imposed on M.D. Anderson violates the Administrative Procedure Act as it was arbitrary, capricious, and otherwise unlawful for at least four reasons:
M.D. Anderson policy required portable computing devices containing ePHI to be encrypted, M.D. Anderson provided employees with encryption technology, and trained employees on how to use it. M.D. Anderson encrypted emails and had various mechanisms for file-level encryption. The court found that M.D. Anderson’s internal documents showing that M.D. Anderson wanted to strengthen its mechanisms for protecting ePHI, and that the three stolen or lost devices were unencrypted did not mean M.D. Anderson failed to implement “a mechanism” to encrypt any ePHI. The court wrote, “The regulation simply says ‘a mechanism.’ M.D. Anderson undisputedly had ‘a mechanism,’ even if it could’ve or should’ve had a better one. So M.D. Anderson satisfied HHS’ regulatory requirement, even if the Government now wishes it had written a different one.”
The court wrote that the ALJ concluded a covered entity violates HIPAA whenever the covered entity loses control of ePHI, regardless of whether that ePHI is accessed by a person outside of the covered entity. The court found “[t]hat is not how HHS defined ‘disclosure’ in the regulations” and therefore HHS “may not define it that way in an adjudication.”
M.D. Anderson had provided examples of covered entities that have lost unencrypted mobile devices where HHS had not imposed any CMP on the covered entity. HHS’ response was that HHS evaluates each case on its individual facts. The court stated, “an administrative agency cannot hide behind the fact-intensive nature of penalty adjudications to ignore irrational distinctions between like cases . . . [w]ere it otherwise, an agency could give free passes to its friends and hammer its enemies—while also maintaining that its decisions are judicially unreviewable because each case is unique.”
Individuals that practice in this space have long stated it is virtually impossible to predict the penalties HHS will impose subsequent to a data breach and resulting HHS investigation. The CMPs imposed have ranged from a few thousand dollars up to $16 million to date. In addition, HHS has issued CMPs against a relatively small number of covered entities and business associates in comparison to the number of breaches affecting 500 or more individuals reported to HHS, a list of which is publically available here.
Although it was ultimately a successful outcome for M.D. Anderson, it took the organization four years and no doubt numerous resources to reach this conclusion. And note that technically the case is not over – the court remanded the case for further proceedings consistent with the court’s opinion. One potential implication of this case is that HHS will revisit its historical practices in imposing CMPs so that the process is more transparent and organizations are better able to predict – or at least understand – the penalties that may await subsequent to a data breach. Additionally, as a result of the court’s decision, more organizations may choose to challenge HHS’ imposition of CMPs resulting from future investigations. In today’s world of widespread cyberattacks affecting health care organizations, HHS needs to ensure it is striking an appropriate middle ground between protecting patient data while not unfairly penalizing these organizations, most of which are not bad actors and have taken many precautions from a policy and security perspective to prevent such cyberattacks. In fact, earlier this month the Health Information Technology for Economic and Clinical Health (HITECH) Act was amended to require HHS to take into account whether a covered entity or business associate has certain recognized security practices in place when making determinations regarding enforcement and regulatory actions.