Healthcare providers and other covered entities are not required by HIPAA regulations to have “bulletproof” protections for safeguarding patient information stored in electronic form, according to a January 14, 2021 decision of the 5th U.S. Circuit Court of Appeals. In University of Texas M.D. Anderson v. U.S. Department of Health and Human Services, the 5th Circuit vacated a $4.3 million civil monetary penalty imposed by the U.S. Department of Health and Human Services (HHS) against the University of Texas’ M.D. Anderson Cancer Center.
The case arises from three separate incidents where M.D. Anderson employees lost laptops and USB thumb drives that contained unencrypted protected health information (PHI) for more than 34,000 patients. M.D. Anderson reported the breach incidents to HHS’ Office for Civil Rights (OCR), the office tasked with enforcing HIPAA. As a result of the reported breaches, OCR ordered M.D. Anderson to pay $4.3 million in civil monetary penalties (CMPs). M.D. Anderson appealed the decision to an HHS administrative law judge and to the HHS Departmental Appeals Board (DAB), both of which upheld OCR’s penalties. M.D. Anderson argued that the HIPAA regulations do not require encryption, that it complied with the regulations and employed other effective measures to safeguard electronic protected health information (ePHI), that the three incidents were the fault of staff who violated M.D. Anderson’s policies, and that the proposed CMPs were excessive.
M.D. Anderson appealed the administrative decisions to the 5th Circuit, which vacated the civil monetary penalties and remanded the case for further proceedings, which remain pending.
HIPAA Security Rule and Privacy Rule Requirements
The HIPAA Security Rule requires covered entities to implement administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of ePHI. More specifically, the Security Rule requires covered entities to ensure that all systems containing ePHI be inaccessible to unauthorized users and to ensure compliance by its workforce, among other requirements.
The Security Rule’s “technical safeguards” requirement sets mandatory specified standards including “access control,” which requires covered entities to “[i]mplement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights” to the information. The technical safeguards requirement provides four implementation specification options, including a specification for covered entities to implement a “mechanism” to encrypt and decrypt electronic protected health information.
HIPAA’s Privacy Rule generally prohibits a covered entity from using or disclosing protected health information without the written authorization of the individual to whom the PHI pertains.
M.D. Anderson’s Breach Incidents
Similar to so many other HIPAA breach cases, M.D. Anderson’s breach incidents began with an employee’s laptop containing PHI being stolen from the employee’s home in 2012. The laptop was not password-protected and was not encrypted. In 2012 and 2013, M.D. Anderson reported two other breach incidents resulting from two other employees losing USB thumb drives containing unencrypted patient information.
OCR alleged that as a result of the breach incidents, M.D. Anderson violated the Privacy Rule, which forbids the unauthorized disclosure of ePHI, and the Security Rule, which requires implementation of technical safeguards including, when reasonable and appropriate, the encryption of ePHI.
At the time of the breach incidents, M.D. Anderson had begun encrypting its laptops and other mobile devices but it had not encrypted all devices. Despite this, M.D. Anderson had a longstanding policy for its employees that required all mobile devices containing confidential or protected data to be encrypted. M.D. Anderson also furnished its employees with an “IronKey” to encrypt and decrypt mobile devices and trained its employees on how to use it.
M.D. Anderson acknowledged that the lost laptop and USB drives had not been encrypted, but it argued that its policy required employees to encrypt ePHI on mobile devices. M.D. Anderson argued that by maintaining such a policy it had implemented a “mechanism” to encrypt and decrypt ePHI and thus satisfied the Security Rule’s technical safeguard requirement. The administrative law judge rejected M.D. Anderson’s contention and concluded that, while the Security Rule provides covered entities with “considerable flexibility” on how to protect ePHI, “whatever mechanism an entity adopts must be effective.”
5th Circuit Weakens the Security Rule and Privacy Rule
On appeal, the 5th Circuit stated that the key question was whether HIPAA regulations required M.D. Anderson to do more, either by implementing an entirely different mechanism or by better implementing the mechanism it selected. The court rejected OCR’s contention that, by failing to actually encrypt the data on the mobile devices, M.D. Anderson had not satisfied the Security Rule’s requirement to implement a “mechanism” to safeguard the patient information. Rather, the court held that the Security Rule required M.D. Anderson to maintain a “mechanism” to encrypt the mobile devices and, by having a policy that required employees to encrypt mobile devices and providing them with tools to do so, M.D. Anderson met its burden to have a “mechanism.” Notably, the court found that the Security Rule did not require M.D. Anderson to have a “bulletproof” mechanism, nor was it required to enforce the mechanism “rigorously.”
Next, the 5th Circuit considered whether the loss of the mobile devices actually resulted in an unauthorized disclosure under the Privacy Rule. The Privacy Rule defines “disclosure” to mean the “release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” In contrast to OCR’s interpretation, the court held that a disclosure occurs under the Privacy Rule only when (i) there is an “affirmative act” of disclosure by the covered entity and (ii) it is made to someone outside of the covered entity. Under the court’s pained interpretation of the Privacy Rule, M.D. Anderson’s loss of ePHI via theft and loss did not qualify as a disclosure. Furthermore, the court held that the regulation required OCR to prove that someone outside the covered entity actually received the ePHI, and that OCR had failed to do so here.
Finally, the 5th Circuit vacated the $4.3 million of CMPs against M.D. Anderson on the grounds that the fine was arbitrary and capricious, noting similar breach incidents in which OCR had assessed no penalties. In addition, the court re-emphasized DAB’s erroneous interpretation of the regulations at issue and noted that HHS itself had conceded two months after the DAB’s decision that it only had the authority to issue a fine of up to $450,000.
HIPAA Compliance Programs Must Be Strong and Effective
While M.D. Anderson appears to weaken OCR’s ability to enforce HIPAA regulations and civil monetary penalties, healthcare providers and other covered entities should view it as an important reminder of the need to review their HIPAA compliance plans and implement or strengthen safeguards to protect PHI. While the court granted M.D. Anderson significant financial relief, the decision does not relieve M.D. Anderson of the breach incidents themselves and the years of protracted government investigation and litigation.
The 5th Circuit’s decision likely will not be the last word on the Privacy Rule and Security Rule requirements. It should be safe to assume that OCR will review its regulations and promulgate new ones to remedy the enforcement deficiencies identified by M.D. Anderson.
Most importantly, covered entities that successfully encrypt or implement other technical safeguards that render patient information unreadable, unusable or indecipherable, gain the protection of safeguarding their patients’ information from unauthorized disclosure and also are not required to perform a breach risk assessment or notification. Patients expect their personal information to be protected from unauthorized access, and there is no relief available for the reputational and financial damage that result from breach incidents.