Following an investigation stemming from a 2012 theft of an unencrypted laptop and the loss of two unencrypted flash drives in 2012 and 2013, OCR determined that MD Anderson failed to implement a mechanism to encrypt electronic PHI (“ePHI”) in violation of the HIPAA Security Rule and improperly disclosed ePHI in violation of the HIPAA Privacy Rule. As the parties did not reach a settlement (which is the more common means by which OCR procures payment from entities for alleged violations), OCR sought to impose civil monetary penalties totaling $4.3M under HIPAA’s tiered penalty scheme. Specifically, the agency assessed $1.3M for the lack of encryption and $3M ($1.5M per year) for the impermissible disclosures of ePHI. MD Anderson twice unsuccessfully challenged OCR’s decision in administrative proceedings before appealing to the Fifth Circuit Court of Appeals.
The Fifth Circuit Decision.
The Fifth Circuit agreed with MD Anderson that OCR “offered no lawful basis for its civil monetary penalties” and held that the agency’s fine ran afoul of the Administrative Procedure Act. The unanimous panel provided four independent reasons for its decision:
- First, the HIPAA Security Rule requirement regarding encryption “does not require a covered entity to warrant that its [encryption] mechanism provides bulletproof protection of ‘all systems containing ePHI.’” Instead, the implementation specification requires an entity to implement “a mechanism” for encryption. The Fifth Circuit found that MD Anderson had implemented various mechanisms for encryption as far back as 2006, and OCR failed to demonstrate that the Texas provider had not done enough to secure its ePHI.
- Second, the HIPAA Privacy Rule’s definition of “disclosure”—“the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information”—contemplates an affirmative act rather than a passive loss of information. The Fifth Circuit suggests that in order for OCR to prove an entity disclosed PHI, it would need to prove that the information be was received by someone outside the entity. Here, MD Anderson did not act affirmatively to disclose ePHI, and OCR did not demonstrate that someone outside the entity received the information.
- Third, OCR inconsistently assessed civil monetary penalties for data loss/theft incidents and “offered no reasoned justification for imposing zero penalty on one covered entity and a multi-million-dollar penalty on another.”
- Finally, OCR’s assessment of $1.5M per year for a violation of the Privacy Rule provision prohibiting unauthorized uses or disclosures ran counter to statutory language capping fines at $100,000 during a calendar year for reasonable-cause violations of an identical HIPAA provision.
Implications for HIPAA compliance and future OCR actions.
While the case has been remanded to the HHS Departmental Appeals Board for further proceedings, the Fifth Circuit’s published decision is an important ruling for organizations subject to HIPAA. Among other potential impacts, this ruling may affect: determinations as to whether an incident meets the definition of “breach” under HIPAA; how entities evaluate their compliance with Security Rule provisions; how entities defend against OCR allegations of HIPAA violations; and how OCR approaches future enforcement actions.
In light of this significant decision, and a new Administration, it will be critical to monitor developments in this case, as well as other guidance that may be released in light of the precedent set by the Fifth Circuit.
Authored by Marcy Wilder, Scott Loughlin, Paul Otto, Andrew Bank, and Madeline Gitomer.