“If at first you don’t succeed, try try again.”
After several years and appeals, M.D. Anderson has succeeded in overturning a hefty civil monetary penalty “(CMP”) stemming from a series of data breaches involving unencrypted devices. On January 14, the Court of Appeals for the Fifth Circuit ruled to vacate the $4.3M penalty assessed against M.D. Anderson as arbitrary, capricious and contrary to law.
M.D. Anderson conducts research and provides cancer treatment through a research center, cancer treatment hospitals and diagnostic imaging clinics. Between 2011 and 2013, M.D. Anderson had been plagued with a series of unfortunate events relating to mobile devices. A physician’s unencrypted laptop was stolen from his home in 2012, followed by the loss of two unencrypted USB devices between 2012 and 2013. In addition, multiple M.D. Anderson physicians suffered stolen Blackberry devices the year prior.
Particularly problematic for M.D. Anderson was that its internal policies required encryption. A risk analysis it conducted prior to the loss of the devices also acknowledged the lack of an enterprise-wide solution for encrypting laptops and mobile devices and that it was aware that individuals were using unencrypted devices.
After M.D. Anderson reported the breaches, the Department of Health and Human Services (“HHS”) through the Office for Civil Rights (“OCR”) investigated and ultimately found M.D. Anderson violated the HIPAA Security Rule provisions governing encryption and decryption, as well as its own internal policies, which OCR focused on extensively. In its 2017 Notice of Proposed Determination, OCR assessed $1,348,000 for M.D. Anderson’s failure to implement access controls as required by 45 CFR 164.312(a)(2)(iv) (encryption and decryption), and it assessed $3,000,000 for the data breaches that had occurred from theft/loss of the unencrypted devices. Although M.D. Anderson had pursued and encrypted 98% of its managed computer inventory (approximately 33,000 laptops), OCR stated,
In spite of the fact that MD Anderson experienced three separate major breaches in 2012 and 2013, it still failed to achieve complete encryption of its inventory of electronic devices containing ePHI as of January 25, 2013….
MD Anderson failed to adequately remediate and manage its high risk findings though encryption, as required by the 45 C.F.R. § 164.312(a)(2)(iv) and its own policies, or, alternatively, document the reasons encryption was not feasible and implement an equivalent alternative measure to encryption from December 1, 2010, until at least January 25, 2013. (emphasis added)
M.D. Anderson appealed twice unsuccessfully before petitioning for review from the Fifth Circuit.
The Court held that the CMP was arbitrary, capricious and otherwise unlawful and vacated the penalty. The Court found that HHS and the ALJ “refused to interpret the [HIPAA and HITECH] statutes at all” and that the ALJ and HHS Department Appeals Board further refused to consider whether the CMP was arbitrary and capricious. Therefore, it conducted a de novo review of M.D. Anderson’s statutory arguments as well as a de novo review of M.D. Anderson’s regulatory arguments.
1. Encryption.
The driving factor behind the CMP had been that M.D. Anderson failed to implement encryption on the devices that had been stolen or lost. The Court, however, highlighted that the HIPAA Security Rule encryption provisions require a “mechanism” to encrypt and decrypt electronic PHI. M.D. Anderson provided encrypted USB drives, and mechanisms for encrypting files and emails, and it wanted to improve upon these by adopting more robust mechanisms enterprise-wide to address instances it was aware of in which its policies weren’t complied with.
HHS essentially argued that M.D. Anderson should have done “more” or should have done it “better”, however, the Court found it was “plainly irrational to say that M.D. Anderson’s desire to do more in the future means that in the past it “failed to encrypt patient data on portable media at all.” Although there were some instances where devices were not properly encrypted, the Court found that this did not mean M.D. Anderson failed to adopted a “mechanism”, stating,
As the ALJ understood the Encryption Rule, it “require[s] covered entities to assure that all systems containing ePHI be inaccessible to unauthorized users.” Period. Full stop. No exceptions.
But that’s not the regulation HHS wrote. The regulation requires only “a mechanism” for encryption. It does not require a covered entity to warrant that its mechanism provides bulletproof protection of “all systems containing ePHI.” Nor does it require covered entities to warrant that all ePHI is always and everywhere “inaccessible to unauthorized users.” Nor does the regulation prohibit a covered entity from creating “a mechanism” by directing its employees to sign an Acceptable Use Agreement that requires encryption of portable devices. Nor does it say that providing employees an IronKey is insufficient to create a compliant mechanism. Nor does it say anything about how effective a mechanism must be, how universally it must be enforced, or how impervious to human error or hacker malfeasance it must be.
The regulation simply says “a mechanism.” M.D. Anderson undisputedly had “a mechanism,” even if it could’ve or should’ve had a better one. So M.D. Anderson satisfied HHS’s regulatory requirement, even if the Government now wishes it had written a different one.
2. Disclosure of ePHI.
The HIPAA Privacy Rule prohibits “disclosure” of PHI and electronic PHI (“ePHI”) except as permitted or required by HIPAA. 45 CFR 164.502(a). As defined, “disclosure” means “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” The Court found that the ALJ arbitrarily concluded that violation of this disclosure rule occurs whenever the covered entity loses control of ePHI, regardless of whether a third party accesses it. In reading “disclosure” to require an affirmative act and not passive loss, the Court stated, “HHS never explains how someone could “disclose” a secret without actually making it known to someone. Nor can we imagine a way.”
Further, HHS could not prove that someone outside of M.D. Anderson had received the information. Although HHS argued that it would be difficult for it to enforce the “disclosure rule” if it had to show the ePHI was not only disclosed to someone, but to someone outside of the covered entity, the Court rejected this, stating, “It’s not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.”
- Like Cases Alike
The Court rejected the ALJ’s insistence that it did not have to compare penalties assessed by HHS in other circumstances. M.D. Anderson had provided examples of other covered entities that had similarly violated the encryption requirements, but had faced no penalties. Although the Court agreed that HHS must evaluate each case on its individual facts, it could not ignore “irrational distinctions” between like cases and impose a multi-million dollar penalty on one and no penalty on another.
- CMP Amount.
Lastly, the Court found that the statutory annual cap for violations due to “reasonable cause” was improperly applied and should have been $100,000, not $1,500,000. “It is quite obvious from [the] statutory text that each reasonable-cause violation can be penalized from $1,000 to $50,000—but the total of all reasonable-cause violations for a calendar year cannot exceed $100,000.” After M.D. Anderson had been unsuccessful in its appeals before the ALJ and Departmental Appeals Board, HHS independently recognized this and conceded it had misinterpreted the statutory caps, issuing a Notice of Enforcement Discretion in April of 2019.
In applying this prior misinterpretation, the ALJ had ignored other deviations HHS made from its regulations in its treatment of M.D. Anderson, which required HHS to assess the following: (1) Whether the violation caused physical harm; (2) Whether the violation resulted in financial harm; (3) Whether the violation resulted in harm to an individual’s reputation; and (4) Whether the violation hindered an individual’s ability to obtain health care. Ultimately, HHS was unable to prove any of these.
The holding is a win for covered entities and business associates who, even despite solid encryption and other security policies and practices, may be unable to attain the level of complete perfection expected by HHS. HHS will undoubtedly reevaluate its enforcement approach for future investigations and settlements.