Fifth Circuit: HHS's HIPAA Enforcement Was "Arbitrary, Capricious, and Contrary to Law" | Practical Law

Fifth Circuit: HHS's HIPAA Enforcement Was "Arbitrary, Capricious, and Contrary to Law" | Practical Law

The Fifth Circuit has issued a decision with potentially far-reaching implications in a dispute involving civil money penalties imposed by the Department of Health and Human Services (HHS) on a covered entity (CE) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In vacating HHS's imposition of penalties, the Fifth Circuit concluded that the penalties were arbitrary, capricious, and contrary to law.

Fifth Circuit: HHS's HIPAA Enforcement Was "Arbitrary, Capricious, and Contrary to Law"

by Practical Law Employee Benefits & Executive Compensation
Published on 19 Jan 2021USA (National/Federal)
The Fifth Circuit has issued a decision with potentially far-reaching implications in a dispute involving civil money penalties imposed by the Department of Health and Human Services (HHS) on a covered entity (CE) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In vacating HHS's imposition of penalties, the Fifth Circuit concluded that the penalties were arbitrary, capricious, and contrary to law.
The Fifth Circuit has issued a decision with potentially far-reaching implications in a dispute involving civil money penalties imposed by HHS on a health provider (and HIPAA covered entity (CE)) for failing to encrypt its devices (Univ. of Texas M.D. Anderson Cancer Ctr. v. U.S. Dep't of HHS, (5th Cir. Jan 14, 2021)). The court concluded that HHS's penalties were arbitrary, capricious, and contrary to law.

HHS Concedes That It Could Not Defend HIPAA Penalties

This litigation arose from a dispute over penalties that HHS imposed on a Texas-based health provider (and HIPAA CE) for violations of the HIPAA Privacy and Security Rules (see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule and HIPAA Privacy, Security, and Breach Notification Toolkit). HHS began its investigation after the CE submitted three separate HIPAA breach notification reports in 2012 and 2013 (see Practice Note, HIPAA Breach Notification Rules). The breach notifications involved:
  • The theft of an unencrypted laptop computer, used for teleworking and which contained the electronic protected health information (ePHI) of nearly 30,000 individuals, from a workforce member's residence.
  • The loss of two unencrypted USB drives, which had belonged to a trainee and a visiting researcher (respectively), and collectively contained the ePHI of roughly 5,800 individuals.
HHS's subsequent investigation revealed that the CE:
  • Recognized the need to encrypt its devices beginning in 2006, but failed to begin implementing enterprise-wide encryption until 2011 and still had not completed encrypting its devices as of January 2013.
  • Impermissibly disclosed the ePHI of nearly 35,000 individuals.
After its investigation, HHS assessed the following penalties:
  • $2,000 per day for each day the CE failed to encrypt its electronic devices, for a total of $1,348,000.
  • $1.5 million per year for 2012 and 2013 for the impermissible disclosure of ePHI, for a total of $3 million.
The penalties were upheld by an administrative law judge (ALJ) and HHS's Departmental Appeals Board (see Legal Update, Failure to Encrypt Leads to $4.3 Million in HIPAA Civil Money Penalties and Practice Note, HIPAA Enforcement: Settlement Agreements). However, the CE later sought review of the penalties in federal court, at which time HHS acknowledged that it could not justify the full amount of the penalties and therefore asked that the penalties be reduced to $450,000.

Fifth Circuit: "No Lawful Basis" for Penalties

On a threshold issue, Fifth Circuit reviewed the CE's arguments de novo because the ALJ and Departmental Appeals Board had refused to consider whether the penalties were arbitrary, capricious, or contrary to law.
On the merits, the Fifth Circuit concluded that HHS's penalties were arbitrary, capricious, and contrary to law, and therefore should be vacated, for four reasons.
First, the court disagreed with HHS's conclusion that the CE violated HIPAA's encryption rule, which requires CEs to implement a method to encrypt ePHI (45 C.F.R. § 164.312(a)). For example, the CE maintained a policy requiring encryption, provided employees with an IronKey (a device used for encrypting and decrypting mobile devices), and trained employees on how to use the IronKey. HHS argued that the CE should have done more regarding encryption. The court concluded, however, that the CE clearly implemented a mechanism for encryption.
The court also disagreed with HHS's argument that the CE violated encryption rule because the laptop and USB drives were not encrypted. In the court's view, the employees' failure to encrypt their devices, or the CE's failure to enforce its encryption mechanism, did not negate the fact that the CE had implemented a mechanism for encryption. The court observed that HIPAA's regulations do not require CEs to furnish bulletproof protection for all systems that contain PHI.
Second, regarding the HIPAA regulations' general rule prohibiting CEs from disclosing ePHI (45 C.F.R. § 164.502(a)), the court rejected the ALJ's interpretation of "disclosure" to mean any loss of control over ePHI, even if nobody outside the CE accesses the ePHI. According to the Fifth Circuit, the text of the disclosure rule indicates:
  • There must be an affirmative, rather than passive, disclosure.
  • The information must be disclosed to (that is, received by) someone outside the CE.
Because HHS could not show that anyone outside the CE received the ePHI, it failed to show a violation of the disclosure rule.
Third, the Fifth Circuit concluded that HHS failed to provide a "reasoned justification" for its inconsistent enforcement of the penalty rules. It is a bedrock principle of administrative law, the court reasoned, for an agency to treat like cases alike. However, the CE provided examples of other actions involving similar alleged violations of HIPAA's encryption rule where HHS imposed no penalties at all. HHS argued that it evaluates penalties on a case-by-case basis. In response, the court stated that HHS could not "hide behind the fact-intensive nature of penalty adjudications to ignore irrational distinctions between like cases."
Finally, the court held that the penalty amount was arbitrary, capricious, and contrary to law. On appeal, the ALJ had agreed that the CE's HIPAA violations were due to reasonable cause and not due to willful neglect. Accordingly, the penalties were subject to an annual limit of $100,000 under HIPAA (see Practice Note, HIPAA Enforcement: Penalties and Investigations: HHS's Reinterpretation of the HITECH Act). The ALJ and Departmental Appeals Board, however, applied an annual limit of $1,500,000 (see Legal Update, HHS Changes Course on Limits for HIPAA Civil Money Penalties). The court noted that the application of incorrect statutory caps also affected the ALJ's decision to not apply the factors for determining penalty amounts, since he found the penalties imposed to be a "small fraction" of the maximum allowed penalties (see Practice Note, HIPAA Enforcement: Penalties and Investigations: Factors in Determining Penalty Amount).

Practical Impact

For years now, we've been reporting HHS awards of substantial civil money penalties against CEs and business associates for instances of HIPAA noncompliance (for example, see Legal Update, Social Media Disclosure of NFL Player's PHI (and Other Violations) Lead to $2.15 Million in HIPAA Penalties). In this ruling, however, the Fifth Circuit (which covers Louisiana, Mississippi, and Texas) is highly critical of HHS for overreaching in its enforcement of the HIPAA Privacy and Security Rule—here, with regard to the regulations' encryption standards. And the court was especially bothered by the health provider's ability to show that other CEs violated HHS's interpretation of the encryption rules without being subject to financial penalties. It will be interesting to see if this ruling leads to further litigation challenging HHS's imposition of penalties on CEs—and whether HHS adjusts its approach to enforcing HIPAA as a result.
In another HIPAA development, HHS announced a settlement agreement with a New York-based health services corporation, a HIPAA CE, for potential violations of HIPAA's Privacy and Security Rules involving a cyberattack that resulted in the impermissible disclosure of the ePHI of over 9.3 million individuals. Under the agreement, the CE must pay $5.1 million and comply with a corrective action plan.