By Nadine E. Roddy, J.D.
Among other APA violations by HHS, the penalty far exceeded HIPAA’s cap of $100,000 per calendar year against any one entity for identical "reasonable cause" violations.
A multi-million dollar civil monetary penalty (CMP) against a health care center for inadvertent loss of electronic protected health information (ePHI) contained in a stolen laptop computer and two misplaced USB thumb drives was arbitrary, capricious, and contrary to law, the Fifth Circuit has held. Even though Congress placed a cap of $100,000 per calendar year on penalties against an entity for "reasonable cause" violations, in this case, HHS applied an impermissible cap of $1,500,000 per calendar year against the center (University of Texas M.D. Anderson Cancer Center v. HHS, January 14, 2021, Oldham, A.).
Employees of the University of Texas M.D. Anderson Cancer Center (Center) lost patients’ protected data in three separate incidents: (1) an employee’s laptop computer, which contained electronic protected health information (ePHI) for 29,021 individuals, was stolen; (2) a trainee lost a USB thumb drive containing ePHI for over 2,000 individuals; and (3) a researcher misplaced another USB thumb drive containing such information for nearly 3,600 individuals. In contravention of the Center’s requirements, none of the ePHI material had been encrypted.
After the Center disclosed these incidents to HHS, the agency determined that the Center had violated two regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The first regulation (the Encryption Rule) requires entities covered by HIPAA and the HITECH Act to "[i]mplement a mechanism to encrypt" ePHI or adopt some other "reasonable and appropriate" method to limit access to patient data. The second regulation (the Disclosure Rule) prohibits the unpermitted "disclosure" of protected health information. HHS determined that the Center had "reasonable cause" to know that it had violated the rules, and it assessed a CMP of $4,348,000 (see DAB upholds $4.38 million in civil monetary penalties for HIPAA breach, June 14, 2019). After the CMP was upheld through the two levels of administrative appeal, the Center petitioned for review by the Fifth Circuit. Only at that point did HHS concede that it could not defend its penalty, and it asked the court to reduce the penalty by a factor of 10 to $450,000.
The court had no trouble concluding that in assessing a CMP of $4,348,000 against the Center, HHS violated the Administrative Procedure Act (APA). The court first determined that its review would be de novo because the ALJ and the Departmental Appeals Board had refused to interpret the relevant statutes. Turning to the substantive issues, the court identified four independent reasons supporting its conclusion that the CMP order was arbitrary, capricious, and otherwise unlawful.
Encryption Rule. Concerning the Encryption Rule, which requires a HIPAA-covered entity to "[i]mplement a mechanism to encrypt and decrypt electronic protected health information," it was undisputed that the Center had implemented such a mechanism. Among other measures, the Center had adopted an Employee Acceptable Use Agreement that specified: "If confidential or protected [Center] data is stored on portable computing devices, it must be encrypted and backed up to a network server for recovery in the event of a disaster or loss of information." The Center furnished its employees an "IronKey" to encrypt and decrypt mobile devices, and it trained its employees on how to use it.
Disclosure Rule. As for the Disclosure Rule, which defines "disclosure" to mean "the release, transfer, provision of access to, or divulging in any manner" of protected information outside the entity, the court interpreted the rule to require an affirmative act of disclosure, rather than a passive loss of information, as occurred in this case. Concerning the ALJ’s insistence that HHS could enforce its CMP rules against some covered entities but not others, the court noted the bedrock principle of administrative law that an agency must treat like cases alike. The HHS offered no reasoned justification for imposing a CMP of $0 on one similarly situated entity identified by the Center while imposing a multi-million-dollar CMP on the Center.
CMP amount. Finally, concerning the amount of the CMP, the court noted that for "reasonable cause" violations, Congress has specified that the total amount imposed on the entity for all such violations of an identical requirement or prohibition during a calendar year cannot exceed $100,000. Yet the ALJ and the Appeals Board had applied a per-year statutory cap of $1,500,000. This action alone was arbitrary and capricious. The court granted the petition, vacated the CMP order, and remanded the matter for further proceedings consistent with its opinion.
The case is No. 19-60226.
Attorneys: Brian Scott McBride (Morgan, Lewis & Bockius, L.L.P.) for University of Texas M.D. Anderson Cancer Center. Anne M. Murphy, U.S. Department of Justice, for United States Department of Health and Human Services.
Companies: University of Texas M.D. Anderson Cancer Center; United States Department of Health and Human Services
MainStory: TopStory CaseDecisions AuditNews CyberPrivacyFeed EHRNews HITNews HIPAANews ProgramIntegrityNews DataPrivacy DataSecurity DataBreach LitigationEnforcement LouisianaNews MississippiNews TexasNews
Interested in submitting an article?
Submit your information to us today!Learn More
Health Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.