The University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”) successfully appealed the imposition of $4.35 million in civil monetary penalties (“CMP”).
In 2017, CMPs were imposed against M.D. Anderson for alleged HIPAA breaches that occurred in 2011 and 2012. The breaches involved electronically protected health information (“ePHI”) of nearly 35,000 individuals that was improperly disclosed when portable devices (two thumb drives and a laptop) were lost or stolen. The data on the devices was not encrypted. M.D. Anderson challenged the Health & Human Services’ (“HHS”) Office for Civil Rights’ (“OCR”) proposed fines and penalties. In June 2018, an Administrative Law Judge (“ALJ”) granted summary judgment in favor of OCR and imposed fines and penalties of $4,348,000.
M.D. Anderson appealed to HHS’ Departmental Appeals Board (“DAB”). One of M.D. Anderson’s arguments was based on the CMP amount, which M.D. Anderson argued was excessive partly because of how the government determined violations. For example, the government argued there were 34,833 violations based on the number of individuals exposed, while M.D. Anderson argued there were only three violations – one for each incident where an item was lost or stolen. M.D. Anderson also argued that the government was far more lenient to other covered entities in similar cases. In February 2019, the DAB upheld the $4.35 million CMP.
In April 2019, M.D. Anderson appealed to the U.S. Court of Appeals for the Fifth Circuit pursuant to 42 U.S.C. §1320a-7a(e). The Court noted that “[a]fter M.D. Anderson filed its petition, the Government conceded that it could not defend its penalty and asked us to reduce it by a factor of 10 to $450,000.” Despite the government’s concession, the Court determined that “[t]he Government’s CMP order against M.D. Anderson was arbitrary, capricious and otherwise unlawful…for at least four independent reasons.”
1. First, the Court analyzed the Encryption Rule, which requires covered entities to “[i]mplement a mechanism to encrypt and decrypt electronically protected health information.” 45 C.F.R. § 164.312(a)(2)(iv). The Court, accepting that the items lost and stolen were not encrypted, noted that “nothing in HHS’s regulation says that a covered entity’s failure to encrypt three devices means that it never implemented “a mechanism” to encrypt anything at all.” The Court found that M.D. Anderson satisfied the Encryption Rule, even if its encryption mechanisms could have been better.
2. Second, the Court analyzed the definition of “disclosure” of ePHI in the Disclosure Rule (45 C.F.R. § 160.103) and disputed whether the hospital disclosed PHI in violation of HIPAA. Specifically, the Court “refuse[d] to interpret § 160.103 to mean that HHS can prove that M.D. Anderson ‘disclosed’ ePHI without proving that someone outside the entity received it.” The government conceded that it could not meet the standard described by the Court.
3. Third, in response to M.D. Anderson’s argument that the CMPs in other instances of ePHI loss were more lenient, the ALJ concluded that the regulations did not require the evaluation of penalties based on a comparative standard. Despite the ALJ’s insistence (and DAB’s agreement), the Court explained that “[i]t is a bedrock principle of administrative law” that an agency must “treat like cases alike.” By failing to consider similar cases, the ALJ allowed the government to enforce the CMP rules arbitrarily and capriciously.
4. Fourth, the Court vacated the $4.35 million penalty because the government miscalculated the CMP and misinterpreted the statutory caps.
The Court ultimately held that the government offered no lawful basis for the CMP imposed and vacated the CMP order. The case was also remanded for further proceedings.
The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with HIPAA-related matters, including breach response, breach notification, OCR investigations, and resulting civil litigation. If you need assistance with such a matter, please contact us today.