The Department of Health and Human Services’ (HHS) Office for Civil Rights enforces HIPAA compliance by imposing civil monetary penalties (CMPs) on HIPAA covered entities for violations of the HIPAA Privacy and Security Rules. Practices may appeal the monetary determination in civil court. Almost all appeals to date have been unsuccessful. Almost. On January 14, 2021, the United States Court of Appeals for the Fifth Circuit (“5th Circuit”) vacated, or set aside, a $4.3 million CMP imposed by OCR in 2017 on provider M.D. Anderson Cancer Center. M.D. Anderson is part of the University of Texas health system. The 5th Circuit found that OCR’s decision was arbitrary and capricious, meaning the decision lacked a valid legal basis. The 5th Circuit case, and what it means to providers and business associates, is discussed below.

Reading the 5th: The Facts

Fifth Circuit HIPAA Case

In 2017, OCR issued its $4.3 million CMP on two grounds: 1) M.D. Anderson allegedly improperly disclosed PHI, in violation of the HIPAA Privacy Rule; 2) M.D. Anderson failed to implement a mechanism to encrypt ePHI, in violation of the HIPAA Security Rule. The OCR’s penalty was affirmed by an HHS administrative law judge. M.D. Anderson appealed the judge’s decision. The 5th Circuit then reviewed the decision anew, reversing the judge’s decision.

The facts of the 5th Circuit HIPAA case are fairly simple. First, an M.D. Anderson faculty member’s laptop was stolen in 2012. The laptop was not encrypted or password-protected, but it did contain “electronic protected health information (ePHI) for 29,021 individuals.” Second, also in 2012, an M.D. Anderson trainee lost an unencrypted USB thumb drive during her evening commute. That thumb drive contained ePHI for over 2,000 individuals. Finally, in 2013, a visiting researcher at M.D. Anderson misplaced another unencrypted USB thumb drive, this time containing ePHI for nearly 3,600 individuals. From these facts, HHS concluded that M.D. Anderson failed to properly encrypt ePHI, and impermissibly disclosed it.

Let’s Simplify Compliance

Do you need help navigating the complexities of HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Reading the Fifth: The Law

In the 5th Circuit HIPAA case, the 5th Circuit rejected OCR’s conclusion that MD Anderson had failed to implement a mechanism to encrypt ePHI. M.D. Anderson had implemented several mechanisms to encrypt ePHI, including an “IronKey” for mobile device encryption and decryption, as well as a mechanism to encrypt emails. By doing so, the 5th Circuit held, M.D. Anderson satisfied the only legal requirement at issue: the requirement to implement a mechanism to encrypt PHI.

The judge, the 5th Circuit held, erred in finding that the Encryption Rule required more than what the plain text of the rule required. The rule simply requires that a covered entity or business associate implement a mechanism to encrypt ePHI. The judge interpreted the rule to mean that covered entities were required to assure that “All systems containing ePHI be inaccessible to unauthorized users.” In other words, the judge invented a requirement under which not only must a covered entity implement a mechanism for encryption – the mechanism must be foolproof. And, if it is not, the judge reasoned, HIPAA has been violated. The 5th Circuit rejected the judge’s reasoning, finding that the encryption “failure” by M.D. Anderson was that three employees failed to abide by the encryption mechanism, or that the mechanism was not rigorously enforced. (M.D. Anderson might have done a better job of training its workers on how to secure mobile devices from theft, though). Since, though, all that was required was for M.D. Anderson to HAVE a mechanism, which it did, there was no HIPAA violation.

The Fifth Circuit likewise rejected the judge’s conclusion that MD Anderson committed a Privacy Rule violation. The Privacy Rule, as relevant to this case, prohibits a covered entity from “disclosing” PHI. The rule defines disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 

The judge concluded that what this means is that a covered entity violates the “