On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.348 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).
In its decision, a Fifth Circuit panel unanimously determined that the penalty “was arbitrary, capricious and otherwise unlawful” for four reasons: (1) HIPAA’s encryption requirements are “addressable” and require covered entities to implement a mechanism to encrypt and decrypt electronic PHI, and the hospital did implement such a mechanism “even if it could’ve or should’ve been a better one;” (2) the Fifth Circuit disputed that the hospital actually “disclosed” PHI in violation of HIPAA as a result of the lost unencrypted devices containing ePHI, because the government could not demonstrate that the hospital actually undertook an affirmative act to disclose the information, or that someone outside of the entity actually received it; (3) the government did not pursue similar penalties against other similarly-situated covered entities, in violation of longstanding administrative law principles obligating agencies to treat analogous cases similarly; and (4) the government misinterpreted the applicable standard for the penalties assessed, thus imposing a significantly higher penalty than was permitted under HIPAA (an issue HHS conceded as part of the Fifth Circuit’s review in this case).
The Fifth Circuit thus concluded that the government had offered “no lawful basis” for the penalties assessed against the Hospital, and therefore the court vacated the penalties and remanded the case for further proceedings. It remains to be seen whether HHS will now drop the case against the Hospital entirely, or seek to impose reduced penalties in accordance with the Fifth Circuit analysis. Regardless, the Hospital’s successful appeal and this decision provide an interesting roadmap for other covered entities facing HIPAA enforcement actions that might consider challenging the basis for, or amounts of, penalties assessed by HHS.
The Department of Health and Human Services’ (HHS) Division of Critical Infrastructure Protection (CIP) issued a health care and public health sector notification this week entitled “Ransomware Activity Targeting the Healthcare and Public Health Sector (Update 2),” which was co-authored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to provide a situation update on the threat of ransomware to the health care sector. [see previous blog post].
According to the Alert, “some recent healthcare sector victims have experienced very short periods of time between initial compromise and activation – even under a few hours. CISA, FBI and HHS urge health delivery organizations and other HPH sector entities to work towards enduring and operationally sustainable protections against ransomware threats both now and in the future.”
The risk mitigation measures the notice suggests were provided in the joint aler from October 28, 2020, which included “the use of Trickbot, BazarLoader, and other techniques to eventually deploy a ransomware (like Ryuk) for extortion and financial gain.”
The update alerts health care providers that “the threat from ransomware is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery.”
Health care providers and contractors continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. of Tennessee, agreed to pay $2,300,000 to the Office for Civil Rights (OCR) in settlement of potential violations of HIPAA’s Privacy and Security Rules. The OCR investigation and settlement stemmed from a data breach affecting over six million people.
The services provided by CHSPSC to the health care facilities included legal, compliance, accounting, operations, human resources, information technology, and health information management. In April 2014, the FBI notified CHSPSC that a cyber-hacking group had compromised administrative credentials and remotely accessed CHSPSC’s information system through its virtual private network (VPN). Nevertheless, even after the FBI’s notice of the problem, the hackers continued for several months to access and exfiltrate the protected health information (PHI) of some six million individuals. The information obtained included names, gender, dates of birth, phone numbers, Social Security numbers, emails, ethnicity, and emergency contact information.
OCR’s investigation found longstanding systemic noncompliance with HIPAA at CHSPSC, including failure to conduct a risk analysis as well as failures to implement information system activity reviews, security incident procedures, and access controls. OCR was particularly critical of the organization’s failure to implement security protections even after being notified by the FBI of the potential breach. Apart from the significant monetary penalty, CHSPSC must comply with a corrective action plan (CAP) that includes the following: development of an internal monitoring plan; completion of an enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic systems, data systems, programs and applications that involve ePHI; creation of a risk management plan; review and revision of policies regarding technical access to applications and systems involving ePHI; and training for all employees. Each step must meet with the approval of the Department of Health & Human Services (HHS), and CHSPSC must periodically report to HHS regarding its compliance with the CAP.