The U.S. Fifth Circuit Defends a Hospital from "Arbitrary and Capricious" DHHS Fines
Healthcare entities located in Louisiana, Texas, and Mississippi need to rejoice in winning the jurisdictional lottery.
On January 14, 2021, the United States Fifth Circuit Court of Appeals vacated a $4.3M fine imposed by the U.S. Department of Health and Human Services (“DHHS”) over two lost thumb drives and a stolen laptop. Each of the lost devices held unencrypted electronic protected health information (“ePHI”), potentially violating the Health Information Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act"). However, DHHS admitted it could only justify a fine equating to approximately ten percent of its desired seven-figure penalty.
Evaluating the purported violations by the M.D. Anderson Cancer Center in Houston, Texas, not only did the Fifth Circuit consistently chastise DHHS for its unjustifiable fines and misinterpretation of federal law, but it articulated two more important tenets:
Neither HIPAA nor HITECH require security measures to be 100% effective; and
Neither DHHS nor its Administrative Law Judges enjoy unfettered discretion to impose data breach fines.
In losing the thumb drives and laptops, MD Anderson purportedly violated 2 regulations. First, the “Encryption Rule” (45 C.F.R. §§ 164.312(a)(2)(iv), 164.306(d)), which requires the covered entity to "[i]mplement a mechanism to encrypt" ePHI or adopt some other "reasonable and appropriate" method to limit access to patient data. The second regulation DHHS alleged violated prohibits the unpermitted disclosure of protected health information (45 C.F.R. § 164.502(a).
Beginning with the encryption rule, the Fifth Circuit found no violation by M.D. Anderson despite the lost devices lacking encryption. The encryption rule only requires that M.D. Anderson "[i]mplement a mechanism to encrypt and decrypt electronic protected health information." M.D. Anderson had such a mechanism, it simply was not strictly followed by all employees.
M.D. Anderson's "Information Resources Acceptable Use Agreement and User Acknowledgement for Employees" required ePHI and other confidential data stored on portable endpoints to be “encrypted and backed up to a network server for recovery in the event of a disaster or loss of information." M.D. Anderson employees were provided and trained on IronKey portable encrypted devices to transport files, and encryption software for emails. So, while better enforcement by M.D. Anderson was preferred, the Fifth Circuit held that “an encryption mechanism existed, fulfilling M.D. Anderson’s obligations under the regulation.”
As for disclosure, HIPAA defines the act to "mean the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information." § 160.103. The Fifth Circuit held that the DHHS improperly “seized” on the word “release” to find a violation whenever the control of ePHI is lost, regardless of the manner of access by a third party. However, the Fifth Circuit noted that for a “release” to equate to a disclosure under the regulation, there must be an affirmative act, not an accidental one, causing the information to be "made known" to someone outside of M.D. Anderson. DHHS failed to articulate how M.D. Anderson’s accidental loss, “could ‘disclose’ a secret without actually making it known to someone [outside the organization]. Nor can we imagine a way.”
DHHS responded to the Fifth Circuit’s strict enforcement of the “Disclosure Rule” by arguing that it is too difficult to “show that ePHI was disclosed to someone, and harder still if it must show that ePHI was disclosed ‘outside’ of the covered entity.” Almost comically, the Fifth Circuit answered with
Maybe so, maybe not. But that's precisely the sort of policy argument that HHS could vet in a rulemaking proceeding. It's not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.
Finally, moving to the fine, the Fifth Circuit clarified that Congress limited the per-year cap for all reasonable-cause violations is $100,000—not $1,500,000 (42 U.S.C. § 1320d-5(a)(3)(B)). Further, DHHS is required and yet failed to consider the following factors in assessing a fine:
Whether the violation caused physical harm;
Whether the violation resulted in financial harm;
Whether the violation resulted in harm to an individual's reputation; and
Whether the violation hindered an individual's ability to obtain health care. (45 C.F.R. § 160.408(b)).
Therefore, the Fifth Circuit held “It's undisputed that HHS can prove none of these. But … justified ignoring them because ‘the penalties that I determine to impose are but a small fraction of the maximum penalties that are permitted by regulation’—a regulation that HHS now concedes in its ‘enforcement discretion’ is unlawful.”
It is nice to see the United States Fifth Circuit take a realistic review of DHHS fines.