A Less Demanding HIPAA Standard: the 5th Circuit Holds OCR to the Letter of the Law

By Dayle A. Duran, Esq., CIPP/US and Dena M. Castricone, CIPP/US and CIPM

In January 2021, the 5th Circuit Court of Appeals issued an unanticipated decision that will send ripples across the healthcare industry for years. Beyond giving healthcare privacy and security professionals cause for relief, the M.D. Anderson v. HHS decision restores faith in the checks and balances on regulatory agency enforcement power.        

The threat of an Office for Civil Rights (OCR) enforcement action for HIPAA violations looms large over covered entities and business associates.  OCR’s findings of failure to adequately safeguard protected health information (PHI) or to secure electronic protected health information (ePHI) as required under HIPAA has resulted in numerous six and seven-figure settlements and penalties over the years.   

The University of Texas M.D. Anderson Cancer Center (M.D. Anderson) found itself facing just such a number following three breaches occurring in 2012 and 2013.  Between the theft of an unencrypted laptop containing the ePHI of nearly 30,000 individuals and two separate losses of unencrypted USB drives totaling 5,000 individuals, OCR slapped M.D. Anderson with a whopping $4.3 million civil monetary penalty for violating both the HIPAA Privacy and Security Rules. In a relatively uncommon move, M.D. Anderson appealed the penalty twice, finally landing before 5th Circuit Judges Engelhardt and Oldham.

Ultimately the 5th Circuit determined OCR’s enforcement actions were “arbitrary, capricious, and otherwise unlawful” for four reasons:

  1. The HIPAA Security Rule only requires entities to implement “a mechanism” for encryption; it says nothing about the mechanism’s efficacy.  

The facts surrounding the M.D. Anderson breaches help illustrate the common nature of these scenarios and the far-reaching implications of the 5th Circuit’s decision.  In the first breach, a physician purchased a laptop with funds from M.D. Anderson for teleworking purposes.  The physician never implemented any of the mobile device protection mechanisms detailed in M.D. Anderson’s policies and the unencrypted laptop was stolen from the physician’s home. 

The other two breaches involved misplaced USB drives.  A summer intern uploaded spreadsheets containing the ePHI of 2,264 patients to a USB drive.  The intern reported that she could not find the drive and believes she misplaced it on the way home from work.  In the second USB-related breach, a visiting researcher from another country used a personal USB drive to upload the ePHI of 3,598 individuals.  She later reported that the drive was no longer in her top desk drawer where she always kept it.  These USB drives were never found.

While M.D. Anderson certainly failed to encrypt the laptop and USB drives in question, it had in fact implemented various mechanisms to encrypt ePHI.   The 5th Circuit explained that the plain text of the HIPAA Security Rule “does not require a covered entity to warrant that its mechanism provides bulletproof protection of all systems containing ePHI.” As a result, an employee’s failure to leverage M.D. Anderson’s encryption mechanisms for portable computing devices does not itself violate the HIPAA Security Rule.

Without question, M.D. Anderson could have done more to ensure the encryption of ePHI – in fact, it had plans to do so – but HIPAA only requires that there be an encryption mechanism.  Nothing in the regulation says that it must be the most effective or even a reasonably effective mechanism.  According to the regulatory text, any mechanism will do, and if OCR wants to add a quality measure, as the 5th Circuit pointed out, it must go through the rule making process to amend the regulation.

2. Disclosure under the HIPAA Privacy Rule requires an affirmative act.

Part of the massive penalty against M.D. Anderson was based on OCR’s finding that M.D. Anderson impermissibly disclosed the ePHI of more than 30,000 individuals.  The HIPAA Privacy Rule defines a disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” According to the 5th Circuit, all the verbs in that sentence imply an affirmative act on the part of the Covered Entity or Business Associate to constitute a disclosure. Disclosure under HIPAA implies a target for the information outside the organization, thus, the court held that M.D. Anderson could not affirmatively share information if there was no proof of a specific “someone” outside of M.D. Anderson to whom the ePHI was directed.  

The 5th Circuit chided the Administrative Law Judge (ALJ) for concluding that any loss of ePHI was a release because “it defies reason to say an entity affirmatively acts to disclose information when someone steals it.”  This could be a game-changer with respect to cybercrimes that involve access or exfiltration of ePHI.    

3. OCR cannot inequitably penalize organizations for the same type of violation.

Because OCR did not penalize several other covered entities for similar breaches, and “offered no reasoned justification for imposing zero penalty on one covered entity and a multi-million-dollar penalty on another,” the court found that the agency’s assessment of a civil monetary penalty against M.D. Anderson was arbitrary.

4. OCR cannot assess penalties that exceed the statutory annual maximum penalty.

The statute authorizing the collection of civil monetary penalties for HIPAA violations limits all “reasonable cause” penalties to $100,000 within a calendar year.  The ALJ found that M.D. Anderson’s conduct was subject to the reasonable cause standard.  Had OCR properly applied the annual maximum, the most it could have fined M.D. Anderson was $500,000 based on its allegations of three years of failure to encrypt, and improper disclosures of ePHI in 2012 and 2013.  Notably, OCR conceded that “it misinterpreted the statutory caps” and published a notice on the subject.

Important Takeaways:

  • Any encryption will do – for now. The HIPAA Security Rule requires organizations to implement mechanisms for encryption; it does not require the best encryption in the world (or mediocre encryption for that matter). 

It is worth noting that while the regulations do not technically mandate encryption, for all practical purposes, in today’s environment, it is required.  The rule lists encryption as an “addressable” implementation specification, not a “required” specification.  “Addressable” means that the entity could determine that implementing such a specification is not reasonable for the organization.  When the rule became effective back in 2003, it may have been possible to conclude that encryption was not reasonable for certain providers because it was cost prohibitive.  That is no longer the case.

Although encryption essentially is required, the good news is that covered entities and business associates do not need to shell out money for top-of-the-line (or even middle-of-the-road) technology.  According to the 5th Circuit, ANY mechanism will do until OCR amends the rule to require otherwise.  And rest assured, after this decision, OCR will amend the rule. 

  • Criminal conduct or loss that did not involve an affirmative act cannot be an improper disclosure under HIPAA.  Although this logical conclusion has many applauding the crackdown on OCR’s overbroad interpretation of “disclosure,” the effect of the decision may be limited.  Instead of alleging an impermissible disclosure, as in the M.D. Anderson case, OCR could have alleged something other than improper disclosure.  In any event, this case reminds us of the importance of scrutinizing OCR’s actions and allegations to ensure that it is operating within the boundaries of the law. 
  • Consistency in enforcement matters.  OCR cannot turn a blind eye in one instance but assess heavy penalties in another.
  • The law matters.  OCR cannot ignore Congress’s statutory penalty caps or the plain language of the regulations.