Trying a new format for case summaries. Please let me know what you think!
The Case in a Nutshell
- HHS fined MD Anderson $4.35 million for violating agency regulations by losing patients' ePHI (electronic personal health information).
- MD Anderson petitioned for review arguing (1) as a state agency, it was not a "person" subject to HHS enforcement under the relevant statutes and (2) even if it were, the agency's decision was arbitrary and capricious in several respects.
- the Fifth Circuit granted the petition for review and vacated the penalty; assuming without deciding that MD Anderson is a covered "person" under HIPAA, HHS's decision violated the APA in several ways and therefore had to be set aside.
- this is a landmark decision with sweeping implications for healthcare providers nationwide.
The Fifth Circuit's Opinion
Between 2012 and 2013, one MD Anderson employee's unencrypted laptop was stolen, and two other employees lost unencrypted flash drives. MD Anderson reported these incidents to HHS. After investigating, HHS concluded that MD Anderson had violated two federal regulations the agency had promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (the HITECH Act):
- the "Encryption Rule," which requires covered "person[s]" to "implement a mechanism to encrypt" electronic personal health information (ePHI) or adopt some other "reasonable and appropriate" method to limit access to patient data, 45 C.F.R. §§ 164.312(a)(2)(iv), 164.306(d), and
- the "Disclosure Rule," which prohibits the release of protected information without permission, id. § 164.502(a).
Invoking authority delegated to it under HIPAA's enforcement provision, see 42 U.S.C. § 1320d-5, HHS pegged MD Anderson with $4.35 million in civil monetary penalties. When two rounds of administrative review brought MD Anderson no relief, it turned to the Fifth Circuit.
The Court held that HHS's decision ran afoul of the APA in four ways. First, the Encryption Rule “does not require a covered entity to warrant that its [encryption] mechanism provides bulletproof protection of ‘all systems containing ePHI.’” Instead, covered entities must merely implement “a mechanism” for encryption. MD Anderson had implemented various mechanisms for encryption, and the ALJ failed to demonstrate that MD Anderson hadn't done enough to secure its ePHI.
Second, the Disclosure Rule’s definition of “disclosure”—“the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information”—contemplates an affirmative act, not a passive loss of information. To establish an entity disclosed ePHI, HHS would need to prove that someone outside the covered entity received the supposedly disclosed information. Here, MD Anderson did not act affirmatively to disclose ePHI, and HHS didn't demonstrate that someone outside MD Anderson received the information at issue.
Third, the ALJ inconsistently assessed civil monetary penalties for data loss/theft incidents and “offered no reasoned justification for imposing zero penalty on one covered entity and a multi-million-dollar penalty on another.”
Finally, the ALJ’s assessment of $1.5M per year for a violation of the Disclosure Rule's prohibition of unauthorized uses or disclosures ran counter to statutory language capping fines at $100,000 during a calendar year for reasonable-cause violations of an identical HIPAA provision.
This is a major decision for healthcare providers nationwide. HHS settles the vast majority of disputes involving alleged violations of the HIPAA regulations at issue here, but MD Anderson refused to play ball. Were I a betting man, I'd wager that the Fifth Circuit's unanimous opinion, which is heavily critical of HHS's settled approach to these often-enforced-and-rarely-challenged regulations informal settlement proceedings, will trigger a nationwide showdown between HHS and providers for two reasons:
(1) HHS's loss will likely embolden other providers to follow MD Anderson's lead in refusing to settle similar disputes going forward, and
(2) the CA5's harsh criticism of HHS's failure to apply its regulations uniformly from one case to the next will, presumably, incentivize the agency either to back off or double down on some of the more aggressive stances it took against MD Anderson in future adjudications; my bet is the agency will double down.
As important as the Court's holdings are, an issue it flagged but didn't resolve sets the stage for a future case of arguably far greater significance. Get this: MD Anderson argued that, as a state entity, it isn't included in HIPAA’s definition of “person” for purposes of identifying those subject to the government’s civil money penalty scheme. Although the panel recognized this issue, it declined to address it and instead vacated HHS’s civil penalty because of the agency’s “arbitrary, capricious, and otherwise unlawful” actions. Consequently, the argument that state entities are not a “person,” and thus not subject to civil monetary penalties, remains for another day.
I'm not especially familiar with HIPAA enforcement, but the Court's casual mention of MD Anderson's state-agencies-aren't-persons argument caught my eye. Unable to resist, I took a look at the briefing on the issue and was surprised by the strength of MD Anderson's rather bold argument. To be clear, I read this stuff quickly and haven't studied the issue closely. If you ask me, though, MD Anderson's argument has legs. If some future federal court were to agree and hold that state agencies aren't subject to HIPAA ... holy encryption, Batman.