The US Court of Appeals for the Fifth Circuit issued its ruling in the landmark HIPAA case between The University of Texas MD Anderson Cancer Center (MD Anderson) and the US Department of Health and Human Services (HHS). The three-member panel unanimously vacated a $4.3 million penalty that HHS sought to enforce against MD Anderson, finding that HHS had “no lawful basis for its civil monetary penalties.” The published opinion specifically held that “[t]he Government’s CMP order against MD Anderson was arbitrary, capricious, and otherwise unlawful” under the federal Administrative Procedure Act.
The case stems from a laptop stolen from a researcher’s home and two lost USB drives. The devices were unencrypted and MD Anderson voluntarily reported these incidents to HHS’s Office for Civil Rights. HHS subsequently alleged that MD Anderson had violated certain encryption regulations and that it had disclosed ePHI as a result of the stolen and lost devices. HHS then proposed a $4.3 million civil money penalty (CMP). MD Anderson appealed the proposed penalty through the agency review process over several years until it was finally able to petition the Fifth Circuit for review.
The Fifth Circuit noted “four independent” reasons for its decision to vacate the CMP. The first ground on which the court sided with MD Anderson addressed “encryption requirements” that HHS alleged MD Anderson failed to follow. In disagreeing with HHS’s position, the Fifth Circuit found that the regulation requires only “a mechanism” for encryption and that MD Anderson “plainly implemented a ‘mechanism’ to encrypt ePHI.” The court emphasized that the regulation does not require a covered entity to warrant that its mechanism provides bulletproof protection of all systems containing ePHI;” only that it have a “mechanism” in place.
Another troubling issue with HHS’s position on the “encryption requirement” was that it used MD Anderson’s internal information security initiative documents to establish the standard against which MD Anderson’s compliance was measured. The Fifth Circuit rejected this contention, noting that “it’s plainly irrational to say that MD Anderson’s desire to do more in the future means that in the past it “’failed to encrypt patient data on portable media at all.’” If accepted, HHS’s position would have allowed the agency to set enforcement standards against a covered entity based on the entity’s highest hopes in future planning, including whatever other untethered discretion HHS used to interpret from those hopes. This would have established an ever-changing standard for statutory compliance.
The court next moved to its second reason to vacate HHS’s interpretation of the defined term “disclosure.” HHS argued that the word “release” in the definition meant that “a covered entity violates the Disclosure Rule whenever it loses control of ePHI—regardless of whether anyone outside of MD Anderson accesses it.” The court again disagreed noting that HHS’s interpretation departed from the regulation in at least three ways. First, in noting that the definition requires some form of “action” by the covered entity, the court found that “[i]t defies reason to say an entity affirmatively acts to disclose information when someone steals it.” The Fifth Circuit aptly stated, “[t]hat is not how HHS defined ‘disclosure’ in the regulation. So HHS may not define it that way in an adjudication.”
The court next noted that “the Government nowhere explains how ‘information’ can be released, transferred, provided, or divulged without someone to receive it and hence be informed by it.” To the contrary, the Fifth Circuit stated that the “regulation appears to define ‘disclosure’ in accordance with its ordinary meaning, which requires information to be ‘made known’ to someone.” The court also refused to interpret § 160.103 to mean that HHS can prove that MD Anderson “disclosed” ePHI without proving that someone “outside” the entity received it. In this case, the government conceded that it could not meet those standards because there was no evidence that the information on the devices was ever accessed, viewed, or used by anyone else. Nevertheless, HHS sought to pursue its $4.3 million penalty against MD Anderson, an institution dedicated to curing cancer, in the face of no harm to a single individual involved.
The Fifth Circuit then moved to its third reason for vacatur – HHS’s “insistence that the Government can arbitrarily and capriciously enforce the CMP rules against some covered entities and not others.” The court decreed “[i]t is a bedrock principle of administrative law that an agency must “treat like cases alike.” MD Anderson proffered examples of other covered entities that allegedly violated HHS’s interpretation of the encryption rule in similar ways and faced zero financial penalties from the government. The court took issue with HHS’s failure to offer any “reasoned justification for imposing zero penalty on one covered entity and a multi-million-dollar penalty on another.” The court, in refusing to grant HHS the unfettered discretion it sought, concluded that if it were otherwise, “an agency could give free passes to its friends and hammer its enemies—while also maintaining that its decisions are judicially unreviewable because each case is unique.” The Administrative Procedure Act does not allow such an arbitrary approach.
The court’s final reason for vacating the penalty against MD Anderson involved the amount of the penalty at issue. For the vast majority of this case, HHS sought penalty amounts that were far above the “caps” or limits provided in HIPAA’s statutory scheme. As a result of MD Anderson arguing for several years that the regulations exceeded the statutory caps, HHS recognized its error and issued a notice of “enforcement discretion”, or “mea culpa” as the court described, correcting its interpretation of the penalty limits. As part of the agency’s shift, the government conceded to the court a reduction in the penalty against MD Anderson to $450,000, but only after years of MD Anderson litigating this exact issue. With the court’s ruling, the correct interpretation of HIPAA’s statutory “caps” and HHS’s “enforcement discretion” are now embodied in federal case law.
The court next attacked what remained of the $4.3 million penalty and “the erroneous premises of the decisions by the ALJ and the Departmental Appeals Board.” The Fifth Circuit noted the “erroneous premises are particularly problematic because they tainted other parts of HHS’s decision,” such as the factors considered when assessing civil penalties. The factors include physical harm, financial harm, reputational harm, and the ability to obtain healthcare, and the court unequivocally stated that “[i]t’s undisputed that HHS can prove none of these.” Without such proof, no penalty could be sustained against MD Anderson.
MD Anderson also raised other arguments to the Fifth Circuit, including certain statutory construction and federalism issues. One such issue included MD Anderson’s contention that, as a state entity, it is not included in HIPAA’s definition of “person” for purposes of identifying those subject to the government’s civil money penalty scheme. Although the court recognized this issue, it declined to address it and instead vacated HHS’s civil penalty because of the agency’s “arbitrary, capricious, and otherwise unlawful” actions. Consequently, the argument that state entities are not a “person,” and thus not subject to CMPs, remains for another day.
The decision is an important ruling for all healthcare providers and covered entities and provides additional guidance on requirements and enforcement. The decision, in particular with respect to stolen devices and encryption requirements, will impact OCR enforcement actions going forward across the healthcare industry.
The case is styled No. 19-60226; University of Texas M.D. Anderson Cancer Center, Petitioner, vs. United States Department of Health and Human Services, Respondent, in the US Court of Appeals for the Fifth Circuit. The court’s opinion was filed as Document: 00515706891 in the case.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the authors, B. Scott McBride, Gregory N. Etzel, or John Petrelli, or any of the following Morgan Lewis lawyers:
Mark B. Stein
Lauren Z. Groebe
Brian M. Jazaeri
W. Reece Hirsch