The U.S. Court of Appeals for the 5th Circuit just issued a blistering attack on HIPAA enforcement by the U.S. Department of Health and Human Services (HHS). In University of Texas M.D. Anderson Cancer v. Department of Health and Human Services (No. 19-60226, Jan. 14, 2021), the 5th Circuit struck down a fine and enforcement action by HHS as arbitrary and capricious. This case has significant implications for HHS enforcement — and for agency enforcement more generally.
My reactions to the case are mixed. The court makes a number of good points, and it identifies flaws with HHS’s interpretation of HIPAA and with its enforcement approach. But there are parts of the opinion that overreach and that are unrealistic.
The case arises out of an HHS civil monetary penalty (CMP) against the University of Texas M.D. Anderson Cancer Center for $4,348,000 for a series of incidents involving unencrypted portable electronic devices being lost or stolen. In 2012, a faculty member had ePHI of 29,021 people on an unencrypted laptop that was stolen. Subsequently, in 2013, a trainee and visiting researcher lost unencrypted USB drives with ePHI of thousands of patients on them. HHS imposed a fine of $1.348 million for violating the HIPAA Encryption Rule for the 2012 incident and $1.5 million for each of the 2013 incidents, adding up to a total of $4.348 million.
Applying the Administrative Procedure Act (APA), the Fifth Circuit concluded that HHS’s enforcement was “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C. § 706(2). There are several parts of the court’s decision that are worth discussing.
(1) Interpretation of the Encryption Rule
The court held that HHS misinterpreted the HIPAA Encryption Rule. The rule states that covered entities must “implement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv). HHS contended that the rule was violated because the devices weren’t encrypted. The court, however, emphasized that the rule used the words “implement a mechanism to encrypt” rather than to ensure that devices were encrypted:
The regulation requires only “a mechanism” for encryption. It does not require a covered entity to warrant that its mechanism provides bulletproof protection of “all systems containing ePHI.” Nor does it require covered entities to warrant that all ePHI is always and everywhere “inaccessible to unauthorized users.” . . . . Nor does it say anything about how effective a mechanism must be, how universally it must be enforced, or how impervious to human error or hacker malfeasance it must be. The regulation simply says “a mechanism.”
The court begins by making some good points about HHS’s faulty interpretation of its rule, but the court ultimately ends up with a faulty interpretation of its own. The court is right that the rule says “a mechanism” rather than requiring that all devices be encrypted. Thus, penalizing M.D. Anderson merely for the failures to encrypt would be improper. The court is also right in pointing out that the rule is poorly drafted. The rule ought to mention something about the nature and effectiveness of the mechanism.
But beyond these points, the court then goes off the rails in its own interpretation. Most laws and regulations are written quite poorly, and courts routinely clarify them and add in implied terms. It is ridiculous to conclude, as the court does, that the rule simply requires a mechanism even if it is totally ineffective. The court should have interpreted the rule more charitably to require at least a reasonably effective encryption mechanism. It is sensible and almost expected that “reasonably effective” be implied into the rule. Otherwise, the rule is absurd; a covered entity could satisfy the rule by providing an encryption mechanism that doesn’t work at all.
Interpreting the rule to require a reasonably effective mechanism still doesn’t mean that HHS should win. But it changes the inquiry. The court is right that the failure to encrypt isn’t the right thing to look at. But neither is the mere existence of a mechanism. Instead, the key issue is whether there is a reasonably effective mechanism. For that question, part of the effectiveness of an encryption mechanism is how aware people are of it, how easy it is to use, and how it attempts to minimize human error. An encryption mechanism that nobody knows about or uses isn’t effective. Likewise, an encryption mechanism that is needlessly difficult or inconvenient to use isn’t effective. Unfortunately, the court interpreted the Encryption Rule into something silly, effectively nullifying the rule.
(2) Selective Enforcement
The most interesting part of the court’s opinion is it faulting HHS for selective enforcement of HIPAA. The court notes that in several other cases involving violations of the Encryption Rule, HHS didn’t impose monetary penalties. The court held that it was arbitrary and capricious to impose civil monetary penalties against some entities that violated the rule but not all. “Were it otherwise,” the court reasoned, “an agency could give free passes to its friends and hammer its enemies.”
At the level of theory, I agree. It would be great for agency enforcement to be completely uniform. But in practice, the court is being unrealistic. There are about 20,000 to 30,000 HIPAA complaints per year, and there are far too many cases to be enforced against to adopt this penalize-them-all approach. Here’s a chart from HHS about enforcement results for 2019:
Two things are notable here. The “no violation” piece of the pie is quite small – just 13%. There were only 10 settlements and civil monetary penalties. This leaves a gigantic number of cases involving violations that don’t receive monetary penalties. HHS lacks the resources to issue monetary penalties to thousands. So, it singles out a few unlucky souls to suffer a monetary penalty to make examples out of them. On average, HHS issues about 10-12 monetary penalties a year, which is a miniscule fraction of the violations. This is true for most agency enforcement. The FTC only brings a few enforcement actions for FTC Act Section 5 violations (about 10-12 per year on average). The reason for so few actions isn’t because there aren’t many violations; it’s because it takes a lot of resources to bring an action. It’s easy for an agency just to issue warnings or stern letters to do better in the future. It’s much harder to bring an enforcement action or issue a monetary penalty, as it requires a lot more work and resources to defend if challenged.
In a perfect world, I’d love to see agencies enforce equally against all similar violations. But we’d need agencies that are 10 times the size and resources (or 20 times or 100 times). Professors are often accused by courts of not living in the real world, so it feels weird for me to accuse the Fifth Circuit of being out of touch with the reality on the ground.
The court’s opinion has some difficult implications for the future of agency enforcement. The court suggests that if an agency doesn’t enforce equally for all violators, then its enforcement will be arbitrary and capricious. Thus, agencies could try to enforce equally against all violators or will find it nearly impossible to issue monetary penalties, especially for common violations because there are too many cases.
What is HHS to do? For nearly every HIPAA violation, cases can be found where monetary penalties weren’t imposed. Based on the court’s reasoning, it is hard to see how HHS could ever impose a monetary penalty again. HHS could try to usher in a new enforcement era, henceforth imposing monetary penalties on all violations, but it strikes me as impractical at present.
(3) Statutory Cap on Reasonable-Cause Violations
The court also concluded that HHS’s interpretation of the statutory cap on penalties for reasonable-cause violations was incorrect. HHS interpreted the cap at $1.5 million, but the cap is $100,000. HHS conceded that it misinterpreted the cap.
The court faulted the ALJ for ignoring some factors in determining the civil monetary penalty, but the court only lists four factors, singling out those that involve harm. There are many other factors the court didn’t discuss such as the nature and extent of the violation, the number of individuals affected, previous violations, how well the entity responded to prior complaints, the financial condition of the entity, and other considerations. Ultimately, I think that the regulations focus too much on actual harm because HIPAA penalties are not compensatory. The extent of the harm for any particular violation could just be a fluke. When the money goes to compensating victims, then harm is relevant to the penalty. Otherwise, the inquiry should focus on the likely harm from a violation and the optimal penalty to achieve deterrence. The regulation doesn’t follow this approach. On this point, the fault is with the regulation, not the court.
Overall, the $4.348 million penalty imposed upon M.D. Anderson strikes me as excessive. I would have liked to learn more about whether the failure to encrypt was caused by rogue actors or whether there was a more systemic problem that led to these failures (lack of training, a clunky encryption mechanism, a lack of access to the mechanism, failure to use reasonable controls to limit ease of transferring ePHI to unencrypted portable devices, etc.). But ultimately, based on the facts I read, the penalty seems quite high for what are rather common violations and ones that are not that egregious comparative to other cases. Indeed, reading through the HIPAA enforcement cases is eye-opening into how badly HIPAA is followed by many entities.
* * *
The court put HIPAA enforcement under the microscope — indeed, it placed much of agency enforcement under the lens. There are many valid points that the court raises, and I share its ideals of uniform widespread enforcement and better-drafted regulations. But we live in an imperfect world, with most laws and regulations not being drafted well and with most agencies lacking sufficient resources. Maybe the court’s idealistic decision will spark new and improved enforcement practices that involve smaller penalties to a much larger number of entities. If this can be pulled off, I think it could be a good thing. But it will demand a revolution in the way agencies enforce laws, and I doubt they are equipped for it.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.