Texas Health System MD Anderson Seeks 5th Circuit Review of HHS Determination that HIPAA Required Encryption of its ePHI
On April 8, 2019, The University of Texas MD Anderson Cancer Center (MDA) filed a petition with the U.S. Court of Appeals for the Fifth Circuit seeking review of a decision by the Department of Health & Human Services’s (HHS) Departmental Appeals Board (DAB) Appellate Division to uphold $4.35 million in civil money penalties (CMPs) assessed against MDA by HHS for alleged violations of HIPAA’s Security and Privacy Rules.
The DAB’s decision, issued on February 8, 2019, affirmed a 2018 decision by an Administrative Law Judge that sustained CMPs issued against MDA arising from three HIPAA breaches in 2011 and 2012 (see our previous analysis of the ALJ’s decision here).
The CMPs were imposed in 2017 after an investigation which found that MDA allegedly violated HIPAA’s Security Rule and Privacy Rule in connection with the improper disclosure of ePHI of at least 34,883 individuals. In three separate incidents, portable electronic devices (two thumb drives and one laptop computer) of MDA workforce members containing ePHI were stolen or lost. In each case, the data on the portable electronic device were not encrypted. HHS’s Office for Civil Rights (OCR) thus alleged that MDA had violated the Privacy Rule prohibition on unauthorized disclosure of ePHI, as well as the Security Rule’s requirements concerning implementation of technical safeguards (and specifically, the encryption of ePHI where reasonable and appropriate).
After the ALJ upheld OCR’s imposition of the CMPs against MDA in 2018, MDA appealed to the DAB’s appellate division. The DAB affirmed the ALJ’s decision and the penalties in February, finding in pertinent part that “MDA was required to implement encryption” and that the encryption requirement as applied to MDA was “plainly mandatory” under HIPAA. MDA had argued that because the encryption standard within the Security Rule is an “addressable” implementation specification, it was optional. In response, the DAB determined that addressable was not equivalent to optional, but instead required an analysis of whether implementation of such a specification was reasonable and appropriate, and unless it was not reasonable or appropriate under the circumstances, implementation was required. The DAB further determined that “undisputable evidence shows that MDA determined that encryption of its portable electronic devices was reasonable and appropriate” and noted that various risk analyses carried out by MDA identified the lack of encryption of ePHI as a high security risk. The DAB thus concluded that “the [HIPAA] regulations did not permit MDA to forgo encryption because it did not document that encryption was not reasonable and appropriate… [and] the record… shows no genuine dispute that MDA, in fact, determined, in its own words, not only that encryption was “reasonable and appropriate” but that encryption “must be a required security control.”
The DAB also affirmed the ALJ’s decision that the CMPs imposed against MDA were reasonable. MDA had argued that the CMPs were excessive in part because they were based on a determination that the Privacy Rule had been violated 34,883 times (based on the number of individuals’ ePHI allegedly disclosed), even though MDA only lost devices on three occasions (and thus should have only been alleged to have committed three violations). The DAB also upheld OCR’s imposition of per-day CMPs for MDA’s alleged Security Rule violations, relying in part on Security Rule preamble commentary (from HHS) that CMPs for ongoing Security Rule violations could be based on the number of days of noncompliance.
This dispute concerning HIPAA compliance, and MDA’s continued challenge to the substantial CMPs imposed by OCR in 2017, serves as an important reminder to health care providers and other entities subject to HIPAA that “addressable” implementation specifications under the Security Rule – considered at times to be less important than “required” specifications – are likely to be seen by OCR as mandatory unless an entity can demonstrate otherwise. Health care providers would, therefore, be well-served to review the Security Rule’s safeguards and addressable implementation specifications, and to document the basis for any such specifications that the entity can demonstrate are not reasonable or appropriate for implementation. Furthermore, it remains to be seen whether the Fifth Circuit will intervene in this dispute, and if so whether a federal circuit court may have a different interpretation than HHS of the application of HHS-drafted regulations under HIPAA.