On June 18, 2018, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that an HHS Administrative Law Judge (“ALJ”) granted summary judgment to OCR in an enforcement action against The University of Texas MD Anderson Cancer Center. The ALJ found that the Center violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules and upheld OCR’s imposition of $4.3 million in civil money penalties (“CMPs”). This ruling is significant because it is only the second summary judgment victory in OCR’s history of HIPAA enforcement, and the penalty amount is the fourth largest amount ever awarded to OCR by an ALJ or secured in a voluntary settlement for HIPAA violations.
OCR began its investigation after the Center reported three separate data breaches involving the theft of an unencrypted laptop from the residence of a Center clinician in 2012 and the loss of unencrypted USB drives by a trainee in 2012 and a visiting researcher in 2013. The three breaches affected the electronic protected health information (“ePHI”) of over 33,500 individuals. Through its investigation, OCR learned that the Center had recognized in a security risk analysis that the lack of device-level encryption posed a high risk to the security of its ePHI and adopted written policies that required encryption dating back to 2006. Its parent (the University of Texas System) also had directed its subsidiaries and affiliates not to store confidential data on portable devices and required encryption using approved methods if stored on such devices. Despite these policies and identifying the lack of encryption as a risk, the Center did not begin to adopt an enterprise-wide effort to implement encryption for laptops and desktops until 2011. After the first two breaches occurred, the Center failed to complete encryption of electronic devices containing ePHI for another six months.
While OCR enforcement actions most often are resolved by informal means or settled through resolution agreements, this matter was contested, leading to an administrative adjudication. OCR sent the Center a letter of opportunity outlining allegations of non-compliance with the Security Rule on August 11, 2016. OCR declined to waive the CMPs or recognize any affirmative defense or mitigating factors on review of the Center’s response and issued a Notice of Proposed Determination to impose the CMPs on March 24, 2017. Importantly, OCR declined to recognize the lack of physical, financial or reputational harm to any individuals resulting from the lack of encryption and instead considered the following factors in determining the CMP amounts: (1) annual security reports in 2010 and 2011 that the high risks for mobile media had not been mitigated by encryption, (2) the Center’s fiscal year 2011 security risk analysis indicating that no enterprise-wide encryption solution was in effect for laptop and mobile devices and the downloading of ePHI to mobile devices was high risk, (3) evidence that on 19 separate occasions in 2011, the Center reported lost or stolen mobile devices with ePHI to the University of Texas Police Department, and (4) the length of time unencrypted devices were used after the Center had actual knowledge that encryption was necessary to secure ePHI on mobile devices. OCR calculated $1.5 million in CMPs for both 2012 and 2013 for the impermissible disclosure allegations under the HIPAA Privacy Rule and a $2,000 per day penalty from March 24, 2011 to January 25, 2013 for the violation of the encryption standard under the HIPAA Security Rule. In both cases, OCR used the CMP penalty tier for reasonable cause violations, meaning the Center was not penalized for willful neglect.
After receiving OCR’s Notice of Proposed Determination, the Center exercised its right to a CMP hearing under HIPAA claiming that (i) it was not obligated to encrypt its devices, (ii) the data at issue was research information not subject to HIPAA’s nondisclosure requirements, and (iii) HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments, stating that the Center failed to protect patient information from a risk that it “not only recognized, but that it restated many times.” The ALJ pointed to the failure to execute on the Center’s encryption plan as the proximate cause of the subsequent ePHI loss.
There are a few important takeaways from this case. First, in the context of a summary judgment motion in an administrative hearing, HHS ALJs acting within a limited delegation of authority from the HHS Secretary may simply apply HHS regulations and interpretations to uphold the OCR actions. Here, the ALJ declined to consider several arguments the Center raised that would have required him to reject HHS statutory interpretations or declare HHS rule-making to be ultra vires or its imposition of the CMPs to be unconstitutional. Instead, the ALJ flatly rejected the Center’s arguments that HIPAA did not apply to the loss of these devices and that the Center could not be held responsible for workforce members who did not follow its policies. The Center contended that absent evidence that the ePHI had been received or viewed by an unauthorized individual, a "disclosure” had not occurred. The ALJ ruled that the plain meaning of the term “disclosure,” which is defined in HIPAA regulations to include the “release . . . of information outside the entity,” did not require evidence that ePHI had been received or viewed by an unauthorized individual. The ALJ also rejected the argument that ePHI was research information outside the scope of HIPAA’s reach and left for another day any question of whether a hybrid entity can segregate its health care component responsible for PHI from its research component to exempt the research function from the HIPAA non-disclosure requirements. It was reported that the Center plans to appeal the ALJ ruling.
Second, this case serves as a reminder that OCR (and the HHS ALJs conducting HIPAA CMP hearings) will focus on the failure to protect ePHI from an identified risk. OCR does not look favorably on an entity that identifies but fails to adequately address significant risks. The HIPAA Security Rule requires covered entities and business associates to conduct a risk analysis that identifies the actual and potential risks and vulnerabilities to their ePHI and to control access. This case reinforces that simply performing a risk analysis and preparing a policy is not enough – organizations must then take action to address the potential risks and vulnerabilities to ePHI identified during the risk analysis to be compliant with the HIPAA security standards.
Speaking at the AHLA Annual Meeting on June 26, 2018, Serena Mosely-Day from OCR explained her view that this case stands for the failure to manage an identified risk to prevent future impermissible disclosures. Mosley-Day noted that during the three-year period ending April 30, 2018, 44% of the large breaches reported to OCR (those affecting 500 or more individuals) involved the loss or theft of ePHI, and laptops accounted for 50% of these large breaches. While encryption is an “addressable” rather than “required” security standard under HIPAA, addressable does not mean optional. Although entities may manage the risk of encryption by documenting why encryption is not feasible and implementing equivalent alternatives, here, the ALJ found no facts to suggest that the Center developed alternate measures to protect ePHI on portable devices while encryption was delayed. Rather, the ALJ found that the Center delayed the implementation of encryption technology for five years while it recognized the risks of not preventing the download of ePHI to mobile media and of storing PHI on unencrypted devices.
In the past, encryption was difficult to implement and often prohibitively expensive to be feasible. By 2012, HIMSS reported that 80.6% of hospitals and 53.3% of physician practices were using encryption for laptop computers. Now, disk encryption and encryption for removable media is easier and more affordable, even for small and mid-size entities, and mobile device management for tracking, wiping, and blocking lost or stolen laptops from accessing the network are far more common. Thus, where the risk is high and the burden is low, or where the entity has a written policy requiring encryption (or another compliance standard) but fails to implement the safeguard, the entity risks both further breaches and an enforcement action if OCR investigates any breaches that result.
Finally, the decision is a frank reminder that privacy and security professionals should address any disconnect between their written security policies, gap analysis, and risk assessments and the reality at their entity. HIPAA requires covered entities and business associates to periodically evaluate the extent to which they are in compliance with the security standards. Any gaps identified and the progress toward compliance should be measured and managed by the entity because repeatedly failing to do what the entity announced it would do to prevent future impermissible disclosures could become a key determinant in an OCR compliance review or breach investigation. It is essential that if and when these risks materialize, breach response teams recognize and document swift and decisive mitigation and remediation efforts, especially where an OCR investigation is imminent – as is the case with large breaches. Now is the time for entities and their compliance oversight teams to establish an effective HIPAA compliance program.