The Fifth Circuit Court of Appeals ruled that the Department of Health and Human Services (HHS) violated the Administrative Procedure Act in imposing a $4 million civil monetary penalty on M.D. Anderson Cancer Center. The case arose out of three incidents in 2012 and 2013, in which an unencrypted laptop was stolen, and two unencrypted USB thumb drives were lost. 

HHS had determined that M.D. Anderson violated the requirement under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requiring HIPAA covered entities to implement a mechanism to encrypt electronic protected health information (ePHI) or adopt another appropriate method to limit access. HHS also determined that the hospital violated the HIPAA Privacy Rule prohibition on unpermitted disclosure of PHI. Finally, HHS found that the hospital had reasonable cause to know that it had violated these rules and assessed daily penalties of $1,348,000 for the Security Rule violation and $3,000,000 for the Privacy Rule violation.  The court ruled that HHS was arbitrary and capricious in applying its regulations and calculating the penalty amounts.

The encryption provision in the Security Rule requires that a covered entity must “implement a mechanism to encrypt and decrypt electronic protected health information.” The court determined that the hospital had implemented “a mechanism” to provide for encryption, because the hospital’s user agreement for employees stated that if confidential data is stored on a portable device, it must be encrypted and backed up to a network server. The hospital also provided an “IronKey” device to employees to encrypt mobile devices and trained employees on its use, encrypted emails, and maintained file-level encryption on its software. The court found that the failure of three individuals to follow the encryption requirements did not mean that the hospital failed to comply with the Security Rule requirement of implementing a mechanism to encrypt ePHI.

With regard to the Privacy Rule prohibition on unauthorized disclosure, the court stated that the definition of “disclosure” required that HHS must show that ePHI was disclosed to someone outside the covered entity, rather than simply that the covered entity lost control of certain ePHI. The court also observed that the agency is required to treat like cases similarly, and that the “Government has offered no reasoned justification for imposing zero penalty on one covered entity and a multi-million-dollar penalty on another.” Finally, the court found that the penalty amounts were not calculated in accordance with the statute. Congress had limited the penalty for reasonable cause violations to a maximum of $100,000 per calendar year, but HHS inappropriately applied the limit for uncorrected willful neglect violations.