Covered entities under HIPAA know that violating HIPAA and related patient privacy laws can result in serious consequences. Perhaps no entity knows this better than the University of Texas M.D. Anderson Cancer Center (M.D. Anderson), which sustained a $4,348,000 civil monetary penalty. The violations that garnered such a large penalty included a faculty member’s unencrypted laptop being stolen; a trainee losing an unencrypted USB thumb drive; and a visiting researcher misplacing another unencrypted USB thumb drive.
After M.D. Anderson self-reported the incidents, the United States Department of Health and Human Services (HHS) determined that M.D. Anderson had violated two HIPAA regulations: (1) the Encryption Rule, which requires that covered entities “implement a mechanism to encrypt” electronic protected health information (ePHI) or adopt some other “reasonable and appropriate” method to limit access to patient data; and (2) the Disclosure Rule, which prohibits the unpermitted disclosure of protected health information. HHS assessed daily penalties of $1,348,000 for the Encryption Rule violations and $3,000,000 for the two Disclosure Rule violations, for a total civil monetary penalty of $4,348,000.
However, after the penalty was upheld through two levels of administrative appeals, the Fifth Circuit Court of Appeals vacated the $4.3M penalty. In a scathing opinion that was a rare rebuke of HHS enforcement power, the Court criticized HHS for “steadfastly refus[ing] to interpret the statutes at all.” Specifically, the Court determined that the penalty was “arbitrary, capricious, and contrary to law” for at least 4 reasons:
- The Encryption Rule requires only that the covered entity have “a mechanism” for encryption. It does not require a warranty that that the mechanism will provide bulletproof protection of all systems containing ePHI, and the rule does not dictate precisely what mechanism must be put into place, how effective the mechanism must be, how universally it must be enforced, or how impervious to human error or hacker malfeasance it must be. The Court concluded that because M.D. Anderson undisputedly had “a mechanism” for encryption, there was no violation.
- A covered entity does not violate the Disclosure Rule any time it merely loses control of ePHI. A violation requires an affirmative act of disclosure, not a passive loss of information. Thus, an entity does not affirmatively act to disclose information when someone steals it. Additionally, “disclosure” requires that the protected information actually be “made known” to someone, and the someone must be “outside” of the covered entity.
- HHS fundamentally ignored a bedrock principle of law that an agency must “treat like cases alike.” M.D. Anderson presented evidence that in other similar cases, HHS had imposed no civil monetary penalty at all. Because HHS offered no reasoned justification for imposing zero penalty on one covered entity and a multi-million-dollar penalty on another, the rules were arbitrarily and capriciously enforced against M.D. Anderson.
- Under the regulations, the total civil monetary penalty amount imposed for all violations during a calendar year may not exceed $100,000. The Court also found that HHS failed to comply with its own regulations requiring that it consider four factors in assessing a penalty: whether the violation caused physical harm; whether the violation resulted in financial harm; whether the violation resulted in harm to an individual’s reputation; and whether the violation hindered an individual’s ability to obtain health care. The Court concluded that it is “undisputed that HHS can prove none of these.”
The Court’s decision will likely have practical implications. First, this case will likely encourage more covered entities to challenge civil monetary penalties, and the Court’s reasoning provides a road map and legal precedent for such challenges. Second, the decision may encourage HHS to more carefully and uniformly impose civil monetary penalties. As the Court in this case pointed out, even before the Court’s decision was issued, HHS published a “mea culpa”, as the Court called it, conceding that it had misinterpreted the statutory caps on civil monetary penalties. Third, the decision may result in HHS seeking to amend its existing rules or promulgate new rules to make their civil monetary penalties less susceptible to challenge.
This decision is not an invitation to relax HIPAA compliance. HHS will continue investigating noncompliance issues and giving out fines. Covered entities should therefore remain diligent in their efforts to comply with HIPAA and related patient privacy laws to minimize the risk of receiving a civil monetary penalty in the first place.
Andrew R. Alder is a shareholder attorney in Parsons Behle & Latimer’s Boise office. To discuss this or related matters, call (208) 562-4900 or send an email to email@example.com.