In a sharply worded opinion the 5th U.S. Circuit Court of Appeals overturned a $4.3 million penalty imposed on MD Anderson by the Office for Civil Rights (OCR) which enforces HIPAA. MD Anderson is a leading cancer treatment facility and part of the University of Texas Medical Center in Houston.
The new OCR Director (not yet appointed) will need to address what happened in the case, because the Court found long-used HIPAA enforcement tools to be unlawful.
Investigation Leads to Penalties and an Appeal
MD Anderson employees on three separate occasions lost a laptop and thumb drives containing unencrypted protected health information (PHI) for more than 34,000 patients. The healthcare facility reported the breaches to OCR, as required by HIPAA. OCR investigated and decided to impose civil money penalties, following the HIPAA Enforcement Rule.
MD Anderson appealed the administrative decision to the 5th Circuit Court of Appeals. This administrative enforcement case is the first to be heard by a U. S. Court of Appeals. Although this appellate decision is binding only within the Fifth Circuit (Texas, Louisiana, Alabama, Georgia and Mississippi) it can be persuasive in other Circuits nationally.
One finding in the decision is certain to apply nationally. Other findings are controversial and will be debated in court, at the Department of Health and Human Services (HHS) and OCR.
The 5th Circuit vacated the $4.3 million civil monetary penalties and remanded the case for further proceedings, which are pending.
There are three key issues:
- Amount of civil money penalties
- Definition of ‘disclosure’ of PHI
- What is an acceptable ‘mechanism’ to protect electronic PHI
An Undisputable Finding
HHS had set significantly higher penalties for HIPAA violations due to reasonable cause than are permitted by the 2009 HITECH Act ($1.5 million instead of $100 thousand) from 2009 to 2019. HHS admitted the error and revised its penalty structure in 2019. This correction aligns with the 5th Circuit decision and now civil money penalties for violations due to reasonable cause do not exceed $100,000 per violation.
Findings that Will be Contested
MD Anderson argued that a mere loss of unsecured protected health information is not a ‘disclosure’ of PHI defined by HIPAA. They said there was no proof that the lost PHI had actually been received by anyone. The term “PHI” includes electronic PHI, which is sometimes referred to as ePHI.
They also pointed out that the HIPAA Security Rule regulation for transmission security says that a covered entity must have a mechanism to prevent the use or disclosure of PHI that’s being used or disclosed electronically, and MD Anderson had such a mechanism. They use a software program to encrypt all electronic devices and have a policy that all workforce members must use it. The workforce members didn’t follow the policy, but MD Anderson had a mechanism.
According to the 5th Circuit, a mechanism to protect ePHI does not have to be bulletproof. Provision of workforce training concerning encryption and making software available is a sufficient ‘mechanism’ to comply with the Security Rule specification.
What is an Unlawful Disclosure of PHI?
The judges in the 5th Circuit focused on the definition of ‘disclosure’. The Court agreed with MD Anderson that a passive loss (whether through carelessness or theft) does not automatically mean someone received it. And if someone who was not authorized didn’t see it, it wasn’t disclosed. You need to prove that someone received or saw it, according to the 5th Circuit.
HIPAA defines ‘disclosure’ as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information”. The Administrative Law Judge, agreeing with OCR’s decision, focused on the word “release” and concluded that a covered entity violates the Disclosure Rule whenever it loses control of ePHI – regardless of whether anyone outside of MD Anderson accesses it. The 5th Circuit disagrees.
The 5th Circuit decision distinguished between active and passive actions of disclosure, concluding that a loss through theft does not fit the plain meaning of ‘disclosure’.
Are Lost Laptops Containing PHI a Reportable Breach?
The MD Anderson case has enormous implications. For example, loss or theft of an unencrypted laptop containing PHI is currently considered a reportable breach of unsecured PHI by the regulators. In this case, HHS conceded it could not prove someone ‘outside’ MD Anderson received the lost unencrypted devices and the PHI they contained, and under HHS’ interpretation up to now, this would be okay, and the breach is still reportable.
But if loss or theft, without proof that someone received and/or saw the PHI is not enough, the rule about what is reportable is in question. Enforcement activity regarding lost unencrypted electronic devices is hamstrung. (laptops, tablets, phones and USB thumb drives are all in the same category.)
The Court noted that a covered entity does not have to knowingly act to disclose ePHI to violate HIPAA. HIPAA regulations contain different levels of penalties for knowing and unknowing disclosures. An unknowing disclosure (e.g., accidentally sending email to the wrong address, a lost or stolen unencrypted laptop) may violate HIPAA, but only if OCR can prove it was received by an unauthorized person, according to the 5th Circuit. An unknowing disclosure will receive a lesser penalty than an intentional one, especially one that showed willful neglect.
HIPAA Enforcement After MD Anderson
As noted above, the 5th Circuit has sent the case back to the Administrative Law Judge for review, so it will be re-argued there and a new decision will issue. In the meantime, the 5th Circuit decision is binding in five states, and persuasive to other courts nationally, setting up a challenge to OCR enforcement.
OCR could choose to go through a rulemaking process, and create another definition of “disclosure” to clear up any ambiguity but that takes years. Covered entities now face a conundrum – if an unencrypted laptop or other device is lost or stolen, do they have to report it?
Continue to Follow HIPAA
Until the regulations change, or a new interpretation is issued by OCR, a conservative approach is safest. Follow OCR’s current interpretation, and report a breach even if you’re unsure whether the protected health information ever reached anyone. As the investigation unfolds, you may later discover that someone received it.
Make sure all of your HIPAA policies are up to date and a Risk Analysis – Risk Management plan is in place. Keep investigating the breach, and document everything. Your care and diligence will pay off in a stronger HIPAA compliance program, better protection of patient information, and lesser penalties from OCR.