The Fifth Circuit Court of Appeals’ decision in University of Texas M.D. Anderson Cancer Center v. United States Dept. of Health and Human Services, 985 F.3d 472 (5th Cir. 2021), may provide a significant avenue for providers to challenge enforcement actions by the Office for Civil Rights (OCR). In Anderson, the Court vacated a $4.3 million fine against the University of Texas that arose from the loss of three unencrypted devices.
The first incident occurred in 2012 and involved the theft of a faculty member’s unencrypted laptop containing electronic protected health information (ePHI) for 29,021 individuals. In 2013, two unencrypted USB thumb drives were also lost; combined they contained the ePHI of approximately 5,600 individuals. MD Anderson (Anderson) reported the incidents to OCR, who determined that Anderson had violated two separate regulations under HIPAA and the HITECH Act. OCR found that Anderson:
- failed to implement a mechanism to encrypt ePHI or adopt reasonable and appropriate methods to limit access to ePHI, and
- violated regulations prohibiting the unauthorized disclosure of ePHI.
The violations resulted in OCR imposing a civil monetary penalty (CMP) of $4,348,000 on Anderson. Anderson exhausted its administrative appeals through a hearing before an administrative law judge (ALJ) and through the appeals board. Anderson then appealed to federal court, asserting that the penalties implemented by OCR violated the Administrative Procedure Act as arbitrary and capricious. The Fifth Circuit agreed.
Fifth Circuit Decision
The Fifth Circuit found that the CMP imposed on Anderson was arbitrary, capricious, and otherwise unlawful for the following reasons:
1. Encryption & Reasonable Security
First, with regard to the encryption rule, the Court found that Anderson had implemented an encryption mechanism to encrypt and decrypt documents as required by the regulations. The problem, according to the Court, was that the individuals who lost the devices failed to comply with Anderson’s encryption policies and procedures. The Court wrote that not only did Anderson provide an encryption mechanism to its employees but it also trained them on how to use the encryption technology. OCR argued, however, that although Anderson had encryption technology available, it should have done more to ensure that employees were utilizing the encryption technology. Acknowledging that the lost devices were not encrypted, the Court wrote that this only meant that three employees failed to use the mechanism or, alternatively, that Anderson did not enforce its policies rigorously enough. However, the Court went on to state that the regulations require only that Anderson have a mechanism to encrypt, which it did, and that there is nothing in the regulation mandating that a mechanism be “impervious to human error or hacker malfeasance.”
2. Unauthorized Disclosure of ePHI
Next, the Court took issue with the ALJ’s finding that Anderson had disclosed information by “releasing” it through the loss of the devices. Here, the Court reasoned that a loss is not, without more, a release of information. The Court stated: “It defies reason to say an entity affirmatively acts to disclose information when someone steals it. That is not how HHS defined ‘disclosure’ in the regulation.” Release, according to the Court, requires an affirmative act.
The decision is significant in a number of important ways on its own but may become even more potent when coupled with recent HHS regulations regarding the use of guidance documents in enforcement actions.
On its own, if adopted by other circuits, the mere loss of a laptop, without more, might not subject the covered entity to sanctions if there were adequate policies in place to guard against such loss. Currently, any loss is treated as a breach and the OCR’s de-facto standard that there is a violation if the mechanism fails to prevent a loss. This standard is simply not achievable given the ingenuity of bad actors and the inability of a large organization to assure that 100% of its users will comply with all policies.
In terms of phishing, a covered entity can have every procedure in place to prevent loss of data, but it takes only one employee to click on a suspicious link that will cause an infiltration of the entity’s systems. Any successful hacking attempt is a breach, res ipsa, regardless of the reasonableness of the procedures put into place to prevent it. While OCR will usually exercise discretion if it finds that the covered entity had adequate procedures in place to protect the ePHI, it nevertheless leaves the covered entity at the mercy of the agency.
It will be interesting to see the degree to which more organizations choose to challenge OCR’s imposition of CMPs as a result of the Anderson decision. In the meantime, covered entities should continue to rigorously enforce their HIPAA policies.