Last January, in University of Texas M.D. Anderson Cancer Center v. HHS, 985 F.3d 472, the Fifth Circuit Court of Appeals cast a pretty big shadow of doubt over data security enforcement by the Department of Health and Human Services. But it's not game over for HHS Health Insurance Portability and Accountability Act enforcement. Of the court's four rationales, one seems clearly wrong (although it highlights an important issue), one seems right, the third appears to require more care by HHS when setting fines, and the fourth calls out for Congressional attention.
The case arose after the University of Texas M.D. Anderson Cancer Center lost patients' data: one stolen unencrypted laptop and two incidents of lost unencrypted flash drives. In response, HHS investigated, found violations of the HIPAA Security and Privacy Rules, and fined M.D. Anderson $4,348,000. After M.D. Anderson filed its petition for review in the Fifth Circuit, HHS reinterpreted the HIPAA provision setting fines for various types of offenses, concluding that the fines it had been imposing were too high by an order of magnitude. Giving the agency no credit for that reversal, the appeals court concluded that HHS's determination against M.D. Anderson and the initial fine were arbitrary, capricious and contrary to law for at least four independent reasons.
First, the court focused on HHS's finding that M.D. Anderson had violated what the court referred to as the "encryption rule": "Implement a mechanism to encrypt and decrypt electronically protected health information." As the court noted, encryption is an "addressable" item under the HIPAA Security Rule, but M.D. Anderson had chosen encryption as its means of meeting the HIPAA rule's access control standard, so the case proceeded on the assumption that it was required to follow through.
After quoting the rule, the court said: "It is undisputed that M.D. Anderson implemented 'a mechanism.'" But that wasn't undisputed at all. What was agreed was that M.D. Anderson had a policy of requiring encryption and that it had provided its employees with the tools for encryption. However, in focusing on the word "mechanism," the court ignored the word "implement."
In fact, the HHS, in its notice of proposed determination against M.D. Anderson and the administrative law judge in his ruling on the cancer center's case, cited extensive evidence that M.D. Anderson had failed to implement its encryption policy, making, according to the ALJ, only "half-hearted and incomplete efforts" in the years before the three losses. According to the ALJ, M.D. Anderson did not finally begin mass encryption of its laptops until May 2012, after the first incident cited by HHS (the theft of a laptop with the unencrypted data of almost 30,000 individuals). It did not even purchase and distribute encrypted USB devices until after the first two losses of unencrypted USB devices cited by HHS.
The Fifth Circuit said, "The regulation requires only 'a mechanism' for encryption." That's just not correct: the regulation requires a covered entity to "implement a mechanism." Surely, the Fifth Circuit's opinion cannot stand for the proposition that the HIPAA Security Rule is satisfied by having a security policy and systematically failing to follow it without effective alternatives.
The court's struggle with HHS' enforcement posture is understandable given that HHS has never clarified an important point: How substantial must compliance be to avoid liability under the HIPAA Security Rule? The court caricatured HHS's position as arguing that M.D. Anderson had "no mechanism at all if three of its devices are unencrypted or decrypted." In fact, HHS had determined that M.D. Anderson was no longer in violation of the encryption obligation as of January 25, 2013, when the center reported that it had achieved 98% compliance, meaning that, with an inventory of 33,385 computers, it still had about 668 devices unencrypted. (See OCR Notice of Proposed Determination, paragraphs 4 and 5. Later, the ALJ cited evidence that the number of unencrypted devices as of November 2013 was much higher.)
HHS reporting on its enforcement actions indicates that its enforcement practice is not the one of strict liability the court painted it as. HHS is clearly applying some kind of reasonableness standard. According to HHS, since April 2003, OCR has received more than 254,940 HIPAA complaints and initiated more than 1,067 compliance reviews (most of those triggered by breach notices). Still, it has entered into settlements involving a monetary payment or imposed a civil money penalty in only 95 cases. Hardly strict liability.
In terms of clarity of the standard for HIPAA compliance, the problem is that almost all HHS security investigations settle with some form of corrective action, but without the respondents admitting wrongdoing and without HHS ever having to specify exactly where partial compliance efforts fell short. This is a broader problem characteristic of the settlement-based approach that prevails across all of cybersecurity enforcement. In the case of HIPAA, the problem is more acute since the Security Rule does speak in absolute terms: health care providers must "ensure the confidentiality" of their patient's individual health data. Ensure means guarantee, but that's just not possible. There is no perfect security. The FTC has long made this clear, stating that "the mere fact that a breach occurred does not mean that a company has violated the law."
If HHS doesn't want to run into further problems with entities that may be emboldened now to challenge its enforcement actions, it should issue guidance on how it interprets the Security Rule and be explicit in its determinations about why it is finding violations by an entity. The challenge, of course, will be to articulate in writing that perfection is not the legal standard without giving regulated entities a hole they can drive a truck through.
The court's second basis for its decision – that a loss of data due to theft or misplacing of a portable device is not a "disclosure" under the Privacy Rule – is, in my view, probably right, but it merits a separate post.
The third basis of the court's decision was M.D. Anderson's argument that it was treated arbitrarily since other entities that violated the government's understanding of the "encryption rule" had faced zero financial penalties. According to the court, "The Government has offered no reasoned justification for imposing zero penalty on one covered entity and a multi-million-dollar penalty on another." This is a little unfair: The HIPAA rules include some pretty detailed requirements on factors to be considered in setting fines, and HHS followed them in its action against M.D. Anderson. But the rules do not address the question of how HHS decides which of many violations deserves a penalty in the first place. This is directly related to the point above: the government has to be able to articulate its line drawing.
The fourth basis for the court's decision, regarding the size of the penalty, arose because of a ridiculously convoluted statutory provision. For years, HHS interpreted the provision as imposing a $1,500,000 yearly cap on violations that were due to reasonable cause and not to willful neglect. After the fine for M.D. Anderson was set based on that interpretation, the Trump Administration's HHS reversed itself and concluded that the maximum per year fine for "reasonable cause" violations was $100,000. (A nice win for the industry.)
The Fifth Circuit claimed that the matter was clear-cut: "For such 'reasonable cause' violations, Congress specified that 'the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000.'" Congress specified no such thing. What Congress said was that the penalty for reasonable cause violations should be "at least the amount described in paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D)."
Under (3)(B), the amount is "$1,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000," but under (3)(D) the amount is "$50,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000." So what Congress really specified was two minimums and two caps. HHS's initial interpretation, taking the minimum in (3)(B) and the maximum in (3)(D), seems reasonable. After all, the statute says the penalty for reasonable cause violations should be "at least the amount described in paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D)."
A yearly cap of $100,000 seems trifling for a violation that may lead to the compromise of hundreds of thousands or millions of records. For large institutions, $100,000 seems to provide scant deterrence. The Biden HHS could reject the Trump administration's reinterpretation, but it might run into trouble for changing its mind a second time. And a rule change definitely won't fly in the Fifth Circuit since the court interpreted the statute as setting the $100,000 cap. It seems that only Congress could fix this by rewriting the convoluted 42 U.S.C. § 1320d–5.
Photo by Tom Claes on Unsplash