The Matrix

For background, M.D. Anderson had a series of mishaps in 2012 and 2013. First, in 2012, one of their faculty member’s laptop was stolen. The laptop had electronic-protected health information for 29,021 persons. The faculty member’s laptop was not password-protected and was not encrypted. Then, an M.D. Anderson trainee lost an unencrypted USB thumb drive that held ePHI for over 2,000 persons. Finally, in 2013 another unencrypted USB thumb drive containing the ePHI for 3,600 persons was misplaced by a visiting researcher.

Upon disclosing these incidents to HHS, the department determined that M.D. Anderson had violated HIPAA and HITECH’s Encryption Rule and Disclosure rules. The Encryption Rule requires that ePHI be encrypted in order to protect it. The Disclosure Rule forbids unpermitted disclosure of ePHI. Additionally, HHS found that M.D. Anderson had “reasonable cause” to know that it was violating both the Encryption and Disclosure rules. After assessing daily penalties for the incidents, HHS arrived at $4,348,000 for a civil monetary penalty. 

After losing its administrative appeals, M.D. Anderson petitioned the Court. The Court did not entertain M.D. Anderson’s original argument that a state agency is not a “person” covered by HIPAA’s enforcement provision. Instead, the Court targeted an independent reason for review: that the CMP violates the Administrative Procedure Act.

HHS was heavily criticized on four distinct points, each of which the Fifth Circuit found as arbitrary and capricious. The first two points are particular to the ALJ decision which M.D. Anderson appealed.

• Encryption Rule: Under the Encryption Rule, M.D. Anderson would have to “[i]mplement a mechanism to encrypt and decrypt electronic protected health information.” The Fifth Circuit noted that M.D. Anderson had taken measures to encrypt ePHI, and not only had policies in place for employees, but M.D. Anderson even gave employees an “IronKey” to both encrypt and decrypt mobile devices. Employees were trained on how to use the IronKey. Additionally, M.D. Anderson had software to encrypt files and emails. However, the ALJ took a strict stance when interpreting the Encryption Rule. The ALJ believed that all systems containing ePHI must be encrypted, with no exceptions. This is a point where the Court was critical of the ALJ, stating “The regulation requires only ‘a mechanism’ for encryption. It does not require a covered entity to warrant that its mechanism provides bulletproof protection of ‘all systems containing ePHI.’”  The Court here found that M.D. Anderson had “mechanisms” in place, as is required by the regulation. Overall, if there are three devices that were not encrypted out of many that are encrypted, then it does not mean that M.D. Anderson failed in abiding by the regulation.
• Disclosure Rule: Under the Disclosure Rule, a covered entity cannot disclose ePHI, which the ALJ equated disclosure with any loss of control of the ePHI. However, the Court viewed this is as contrary to the regulation. First, the Court interpreted disclosure to be an “affirmative” act and not a “passive loss of information.” Second, the Court states that disclosure means the information is actually being made known to a person. Here, HHS did not show proof that the ePHI was actually disclosed to a person or that an actual individual ever accessed any of the lost ePHI. Finally, the Court said that ePHI must be disclosed outside of the covered entity. The Court was concerned that the “loss-of-control” standard proposed by the Government would mean that a covered entity would be liable for internal transfers of ePHI. The examples used by the Court were if employees at a covered entity shared a laptop with each other, or if one employee stole a laptop from another employee. If the Court agreed with the loss-of-control standard, then their concern was that a covered entity would be disclosing ePHI in violation of the regulation in those scenarios. The ePHI must be disclosed outside of the covered entity. 
• Variability of Enforcement: While HHS fined M.D. Anderson $4.3 million for the breaches at issue, the Fifth Circuit found it compelling that other health systems with similarly sized breaches arising from similar circumstances were fined substantially less or in some instances not at all. Although administrative law allows agencies latitude in determining the magnitude of enforcement, the court held as a principle of administrative law that the agency cannot pick and choose the cases which it chooses to enforce without any apparent standard.
• Penalty Amounts: Similarly, HHS agreed with M.D. Anderson that the penalty amounts charged of $4.3 million were well in excess of the penalty amounts stated in the HIPAA regulations for any HIPAA violation.

Why Does This Matter?

There are two key takeaways of note:

• Firstly, HHS is noted to be behind in its enforcement efforts and statute of limitations. This case may likely result in HHS taking enforcement actions in response to more breaches, given the clear edict that HHS should be taking enforcement actions in a uniform manner. 

• Secondly, while this case supports penalty appeal, the Court also noted that M.D. Anderson had implemented mechanisms to protect electronic PHI. While M.D. Anderson’s mechanisms ultimately failed, the Court noted that this is an area where perfect compliance is likely impossible.

While this is only a Fifth Circuit decision, as of yet no other circuits have decided a similar matter. Covered entities cannot count on catching this sort of break if they run into a similar situation as M.D. Anderson. Therefore, investing in HIPAA security and privacy program requirements is more critical than ever.