985 F.3d 472
5th Cir.2021Background
- In 2012–2013, M.D. Anderson employees lost three unencrypted devices containing electronic protected health information (ePHI) for ~34,000 individuals (stolen laptop, two lost USB drives).
- HHS concluded M.D. Anderson violated HIPAA/HITECH regulations: the Encryption Rule (45 C.F.R. § 164.312(a)(2)(iv)) and the Disclosure Rule (45 C.F.R. § 164.502(a)), and found the violations attributable to “reasonable cause.”
- HHS assessed a civil monetary penalty (CMP) of $4,348,000; M.D. Anderson exhausted administrative appeals and petitioned the Fifth Circuit for review; HHS later conceded it could not defend penalties above $450,000 and issued a notice of enforcement discretion.
- At the administrative level the ALJ and Departmental Appeals Board declined to decide ultra vires or comparative-penalty challenges and interpreted the rules to permit penalties despite M.D. Anderson’s evidence of implemented encryption mechanisms and lack of evidence that ePHI reached anyone outside the entity.
- The Fifth Circuit conducted de novo review of statutory and regulatory claims (agency declined to supply a statutory interpretation and did not invoke Auer deference) and vacated the CMP as arbitrary, capricious, and contrary to law, remanding for proceedings consistent with the opinion.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| 1. Encryption Rule: whether implementing "a mechanism" is satisfied when some devices were unencrypted | M.D. Anderson: it implemented encryption mechanisms (policies, IronKey devices, training); isolated failures by employees do not mean no mechanism existed | HHS: loss of unencrypted devices shows failure to encrypt and thus noncompliance; enforcement can penalize because devices were unencrypted | Court: Held M.D. Anderson had implemented "a mechanism"; regulation requires a mechanism, not absolute immunity from human error or perfect enforcement, so HHS’s contrary interpretation was irrational |
| 2. Disclosure Rule: whether passive loss-of-control (theft/misplacement) equals a "disclosure" absent proof someone outside accessed the information | M.D. Anderson: "disclosure" requires information be made known to someone outside the entity; mere loss of control without evidence of outside access is not a disclosure | HHS: loss of control constitutes a release/disclosure for purposes of the rule, making entity liable | Court: Held HHS’s interpretation was contrary to the regulation’s text; "disclosure" requires an external recipient or actual making-known, and HHS conceded it could not prove outside access |
| 3. Consistency of enforcement: whether HHS must treat like cases alike when imposing penalties | M.D. Anderson: HHS treated similarly situated entities differently (e.g., Cedars-Sinai faced no penalty for a larger loss); agency must explain departures from past practice | HHS: each enforcement decision is fact-specific; no comparative standard in regulations | Court: Held agency must not arbitrarily treat like cases differently; unexplained inconsistency is arbitrary and capricious and APA review requires reasoned justification |
| 4. Statutory CMP caps: proper interpretation of per-year cap for "reasonable cause" violations | M.D. Anderson: statutory text caps total reasonable-cause penalties at $100,000 per calendar year | HHS: ALJ/Board misread statute, treating caps as higher (up to $1.5M); agency later invoked enforcement discretion to limit penalties | Court: Held HHS misinterpreted statutory caps; Congress set $100,000 calendar-year cap for reasonable-cause violations and agency may not rewrite numerical statutory limits |
Key Cases Cited
- FCC v. Fox Television Stations, 556 U.S. 502 (2009) (agencies must examine relevant data and articulate a satisfactory explanation)
- Motor Vehicle Mfrs. Ass’n v. State Farm, 463 U.S. 29 (1983) (arbitrary-and-capricious standard and need to consider important aspects of a problem)
- Marsh v. Oregon Nat. Res. Council, 490 U.S. 360 (1989) (scope of searching and careful APA review)
- Kisor v. Wilkie, 139 S. Ct. 2400 (2019) (limits on Auer deference; require genuine regulatory ambiguity)
- Heckler v. Chaney, 470 U.S. 821 (1985) (agency enforcement discretion principles)
- Utility Air Regulatory Group v. EPA, 573 U.S. 302 (2014) (agency cannot rewrite clear statutory text)
- National Ass’n of Home Builders v. Defenders of Wildlife, 551 U.S. 644 (2007) (avoid interpretations that render statutory language surplusage)
- National Cable & Telecommunications Ass’n v. Brand X, 545 U.S. 967 (2005) (agency consistency and deference principles)