On June 1, 2018, U.S. Department of Health and Human Services (HHS) Administrative Law Judge (ALJ) Steven Kessel imposed $4,348,000 in civil monetary penalties against The University of Texas MD Anderson Cancer Center (MD Anderson) as a result of “dilatory conduct” that resulted in HIPAA violations.1 MD Anderson’s monumental penalty stemmed from three separate HIPAA incidents, which included: (1) the April 30, 2012 theft of an unencrypted laptop computer from an MD Anderson employee’s residence; (2) the July 13, 2012 loss of an unencrypted thumb drive by a trainee on an MD Anderson employee shuttlebus; and (3) the November 27, 2013 loss of an unencrypted thumb drive by a visiting researcher.2 Collectively, the laptop computer contained electronic protected health information (ePHI) relating to almost 30,000 patients, while the trainee’s thumb drive and the researcher’s thumb drive contained the ePHI of 2,200 and 3,600 patients, respectively.3 Despite recognizing the need to encrypt ePHI storing devices as early as 2006,4 MD Anderson did not complete its encryption efforts until well after the three HIPAA incidents occurred. HHS’ Office for Civil Rights’ (OCR) investigation determined that MD Anderson’s delayed encryption efforts led MD Anderson to violate HIPAA requirements in two respects: “(1) it failed to perform its self-imposed duty to encrypt electronic devices and data storage equipment; and (2) it allowed ePHI to be disclosed.”5
The ALJ’s decision marks the second HIPAA-related summary judgment victory in OCR’s history and the fourth-largest civil monetary penalty award for violations of HIPAA.6 After the ruling, OCR Director Roger Severino stated, “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”7 Further, Director Severino advised, “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations.”8
MD Anderson’s case began when it submitted breach notification reports to OCR in 2012 and 2013, which detailed the above described HIPAA incidents.9 After investigation, OCR attempted to reach an informal settlement resolution with MD Anderson from approximately October 28, 2015 to August 11, 2016.10 After failing to agree to a settlement, OCR issued a Letter of Opportunity, dated August 11, 2016, which invited MD Anderson to submit written evidence including “mitigating factors” and “affirmative defenses” against OCR’s imposition of civil monetary penalties.11 MD Anderson submitted evidence to OCR on or about September 12, 2016 in response to OCR’s letter.12 After reviewing the evidence submitted by MD Anderson, and after consulting with the Department of Justice (DOJ), OCR issued a Notice of Proposed Determination13 which imposed civil monetary penalties in the amount of $4,348,000 against MD Anderson. MD Anderson appealed OCR’s determination and requested an ALJ hearing to review the appropriateness of OCR’s determination.14
The ALJ’s decision is remarkable not only for upholding the exceptionally steep fines proposed by OCR, but also because it resulted from OCR’s rare use of the civil monetary penalties determination enforcement mechanism. The civil monetary penalty enforcement mechanism allows OCR to impose fines against covered entities and business associates that violate the HIPAA Privacy, Security and Breach Notification Rules found at 45 C.F.R. Part 160 and subparts A, C, D, and E of Part 164.15 Typically, OCR enforcement results in an informal resolution between the offending entity and OCR, although OCR may elect to impose civil monetary penalties on its own accord, subject to a covered entity or business associate’s right to appeal. The MD Anderson case therefore serves as a prime example of the breadth and strength of OCR’s enforcement mechanisms, as well as the ALJ’s deference to the reasonableness of OCR’s determination. For example, in response to MD Anderson’s argument for a waiver of excessive penalties, ALJ Kessel wrote that MD Anderson’s conduct was “shocking” and a “plainly aggravating factor” that made the penalties in this case “quite modest given the gravity of [MD Anderson’s] noncompliance.”16 As such, the ALJ’s decision demonstrates the importance of HIPAA compliance in an ever-changing healthcare landscape. The case is noteworthy also because there are very few decisions of this nature involving ALJ decision-making and enforcement of penalties for HIPAA breaches. The decision at least impliedly resolves what is viewed by many as an unsettled HIPAA compliance issue: Is encryption of ePHI – at rest, in motion, in transit – required? In the wake of MD Anderson, covered entities and business associates should take heed of the lessons to be learned from the stance taken by OCR, and affirmed by the ALJ, as to encrypting mobile devices and implementing enterprise-wide encryption solutions.
How does HIPAA protect ePHI?
With respect to ePHI, the HIPAA regulations generally require covered entities to: (1) ensure the confidentiality, integrity, and availability of all ePHI that the covered entity creates, receives, maintains, or transmits; (2) protect ePHI against any reasonably anticipated threats or hazards to its security; (3) protect ePHI against any reasonably anticipated impermissible uses and disclosures; and (4) ensure that their workforces comply with HIPAA requirements.17 To meet these obligations, covered entities must devise and implement physical, technical, and administrative safeguards that meet certain “implementation specifications” which HHS classifies as either “required” or “addressable.”18 “Required” implementation specifications must be satisfied, while “addressable” implementation specifications may be met by either: (1) implementing the addressable implementation specification; (2) implementing one or more alternative security measures to accomplish the same purpose; or (3) not implementing either an addressable implementation specification or an alternative.19 Further, a choice of solutions to addressable implementation specifications must be documented and must be reasonable and appropriate given the covered entity or business associate’s circumstances.20
The MD Anderson case tackled one of HIPAA’s more widely debated “addressable” technical safeguard implementation specifications that requires covered entities to “implement a mechanism to encrypt and decrypt electronic protected health information.”21 Despite this implementation specification’s “addressable” status, it contains strong language, which if read literally, can be read to require covered entities and business associates to encrypt and decrypt all ePHI. While the use of encryption is not mandatory, it must be implemented if, after a risk assessment, “the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI.”22 Although addressable implementation specifications provide covered entities and business associates leeway in meeting each specification, compliance in the wake of MD Anderson appears to require the encryption of all ePHI if it is determined that it is reasonable and appropriate to implement a mechanism to encrypt and decrypt ePHI.23
In this day and age, it has become increasingly difficult for covered entities and business associates to argue that encryption is not the only reasonable and appropriate way to satisfy this implementation specification. With large data breaches as commonplace occurrences and with the Breach Notification Rule now providing a “safe harbor” for those who encrypt ePHI,24 there is really no remaining justification for failing to encrypt on the basis that this specification is “addressable” and not “required.”
MD Anderson’s Failure to Implement Encryption
In 2006, MD Anderson conducted a risk assessment and determined that enterprise-wide encryption of electronic devices that store ePHI was reasonable and appropriate.25 Thereafter, MD Anderson adopted a policy to implement enterprise-wide encryption, although MD Anderson was not technically required to do so.26 Rather, MD Anderson adopted its enterprise-wide encryption policy as its own reasonable and appropriate technical safeguard to protect its ePHI from unlawful disclosure.27 From an outsider’s point of view, MD Anderson was perhaps even ahead of the times by voluntarily deciding in 2006 to encrypt devices that stored ePHI.
However, MD Anderson failed to implement its enterprise-wide policy to encrypt ePHI until as late as 2013. Although MD Anderson repeatedly reminded its workforce of its encryption policy, as well as the workforce’s obligation not to remove unencrypted portable media devices (i.e., computers and thumb drives) from MD Anderson’s premises, the ALJ determined that MD Anderson “made only half-hearted and incomplete efforts at encryption over the ensuing years.”28 For example, the ALJ pointed to the fact that MD Anderson did not engage in its first encryption effort until as late as 2008, despite thousands of its laptop computers lacking encryption.29 Thereafter, in 2009, according to the ALJ’s decision, MD Anderson halted its encryption program due to self-described financial constraints.30 In 2010, after the theft of a different laptop computer and other instances of lost patient records, MD Anderson proposed restarting its encryption efforts but did not actually commence encryption work until as late as August 2011 – nearly five years after it first announced its policy on encryption of electronic devices.31
As a result of MD Anderson’s delay in encrypting its electronic devices, MD Anderson was left exposed to large-scale HIPAA breaches without the protections afforded under the Breach Notification Rule for encrypted devices. The ALJ also relied on the fact that MD Anderson had written encryption policies going back to 2006 but had apparently not effectively implemented its policies.32 Further, the ALJ pointed to MD Anderson having conducted risk analyses that discovered that lack of device-level encryption posed a high risk to the security of ePHI.33 In essence, MD Anderson put itself on notice of its own HIPAA compliance obligations but failed to adequately encrypt its inventory of electronic devices in accordance with its self-selected method for protection of ePHI.
Relying on regulatory text found at 45 C.F.R. § 164.312(a)(2)(iv), MD Anderson argued at the ALJ level that it met the encryption implementation specification because it had implemented a piecemeal encryption mechanism comprised of the following: (1) password protection for all computers and portable computing devices; (2) a requirement that ePHI on portable devices be backed up to network servers; and (3) annual employee training on appropriate handling and use of ePHI.34 MD Anderson argued that while its piecemeal encryption mechanism was not the formal encryption mechanism MD Anderson adopted in its policies (i.e., encryption of electronic devices), it nevertheless satisfied MD Anderson’s obligation to implement a mechanism to encrypt and decrypt ePHI.35 While the ALJ agreed with MD Anderson that nothing in the HIPAA regulations directed the use of specific encryption mechanisms, he did not accept MD Anderson’s “red herring” argument that its piecemeal mechanism satisfied MD Anderson’s encryption obligation.36 The ALJ determined that “[o]nce [MD Anderson] elected to utilize that mechanism, it was obligated to make it work” because MD Anderson found encryption of all devices to be the reasonable safeguard MD Anderson would implement.37
While MD Anderson’s “red herring” argument correctly pointed out that the encryption implementation specification does not mandate the use of encryption, the argument likely missed HHS’s evolving pattern of preference for the use of encryption to meet the implementation specification. For example, while HHS’s website expressly states that encryption of all devices is not required to meet the encryption mechanism implementation specification,38 as early as 2008 resolution agreements between OCR and covered entities to resolve alleged HIPAA violations contained provisions requiring covered entities to implement device encryption to satisfy the implementation specification.39 Further, HHS’s 2009-2010 annual report to Congress on Breaches of Unsecured Protected Health Information indicated that covered entities most commonly used encryption as a risk mitigation strategy against breaches of ePHI of 500 or more people and also that 50 percent of all covered entities reporting HIPAA breaches in 2009-2010 began adopting encryption technologies.40 In short, while MD Anderson made a legally justifiable argument against encryption, its argument did not account for the fact that the healthcare industry and HHS were moving toward using encryption as a reasonable safeguard to meet the encryption implementation specification.
The MD Anderson case serves as an important reminder to covered entities and business associates that merely having HIPAA policies that purport to protect ePHI does not constitute compliance with HIPAA. Further, while HIPAA affords covered entities and business associates some level of flexibility in how to protect ePHI, this flexibility is conditioned upon the implementation of reasonable mechanisms to protect ePHI.41 Simply put, a covered entity or business associate cannot merely adopt policies and procedures to safeguard ePHI, but rather, must understand and implement those policies and procedures in a meaningful way that accomplishes HIPAA’s requirements in light of reasonable industry standards. Moreover, as encryption methods for portable devices have become ubiquitous and more cost-friendly over the past decade, covered entities must acknowledge that HIPAA’s technical implementation specifications are more reasonably accomplished than when the HIPAA Security Rule42 was finalized. As information technology continues to respond to and effectively address lingering threats to patient information, so too must covered entities and business associates respond to and address their ever-changing HIPAA compliance needs.
* * *
6 U.S. Dept. of Health and Human Srvcs., HHS Press Office, Judge rules in favor of OCR and requires a Texas cancer center to pay $4.3 million in penalties for HIPAA violations [Press Release], available at https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html.
9 U.S. Dept. of Health and Human Srvcs., Notice of Proposed Determination, OCR Transaction Numbers 12-145395, 12-147543, and 14-175214, pages 2-3 (March 23, 2017), available at https://www.hhs.gov/sites/default/files/md-anderson-npd-signed.pdf.
22 U.S. Dept. Health and Human Srvcs. Office for Civil Rights FAQ (July 26, 2013), available at: https://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html.
38 U.S. Dept. of Health and Human Srvcs, HIPAA for Professionals Webpage (as of Sept. 12, 2018) available at https://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html.
39 See U.S. Dept. of Health and Human Srvcs., Resolution Agreement between the Office for Civil Rights and Providence Health and Services, at page 5 (July 9, 2008) (requiring the covered entity to adopt policies governing the encryption of portable devices containing ePHI); See also U.S. Dept. of Health and Human Srvcs., Resolution Agreement between the Office for Civil Rights and The General Hospital Corporation and Massachusetts General Physicians Organization, Inc., at page 3 (Feb. 14, 2011) (requiring the covered entity to adopt policies and procedures to encrypt laptops and USB drives).
40 U.S. Dept. of Health and Human Srvcs., Office for Civil Rights, Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2009 and 2010, at 8, available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/breachnotificationrule/breachrept.pdf.
42 See 45 C.F.R. Part 160 and Subparts A and C of Part 164 (HHS promulgated the Security Standards final rule on February 20, 2003, which required covered entities, with limited exceptions, to comply with the HIPAA Security Standards by no later than April 21, 2005).