The sixth annual “Women in the Law” Business Edition of The Best Lawyers in America released June 4th, 2021 and lists Oliver & Grimsley’s own Kim Grimsley as one of the four named women in IP in the Baltimore area. The publication features female attorneys from across the United States in all practice areas that are honored with the Best Lawyer distinction. To achieve such distinction, lawyers are nominated by their peers and then judged by region and practice area.
Kim Grimsley has over 20 years of experience in intellectual property matters, with trademark clients from across the globe. In 2013, she opened Oliver & Grimsley, LLC with partner Mike Oliver. Kim was recently honored in the 27th Edition of The Best Lawyers in America, where Oliver & Grimsley, LLC was also featured as Regional Tier 1 ranking for Baltimore in Copyright, Information Technology, and Trademark Law and a National Tier 3 ranking in the 2021 U.S.News – Best Lawyers® “Best Law Firms” for Information Technology Law.
Everyone at Oliver & Grimsley would like to congratulate Kim on her achievement and look forward to her continuing to excel in the future.
In University of Texas M.D. Anderson Cancer Center v. US Dept of Health and Human Services, No. 19-60226 (5th Cir. 1/14/2021) the Fifth Circuit held that the DHHS’ fine for violating the HIPAA Security Rule was “arbitrary, capricious, and contrary to law.” To say that the government lost this case is an understatement – the government’s arguments were roundly rejected in broad language – so much so that the government is going to regret ever having brought this case . . .
In brief, University of Texas M.D. Anderson Cancer Center (UT) had three computer security lapses in the early 2010 period – one laptop and two thumb drives, each that stored electronic Protected Health Information (ePHI), were not encrypted, and were lost or stolen. The DHHS originally fined them over 4 million dollars for violating rules that in most cases require ePHI to be encrypted, and that prohibit disclosure of ePHI to unauthorized persons. UT’s administrative efforts on appeal were unsuccessful, but when they petitioned to have the case reviewed by the court, the DHHS admitted that the maximum fine they could impose was $450,000. UT however objected to even that fine on 2 grounds, that a state instrumentality is not a person under the HIPAA enforcement provisions, and that the fine was arbitrary and capricious under the Administrative Procedures Act. The court did not address the first argument and assumed UT was a person subject to HIPAA enforcement.
Under the HIPAA Security Rule, “a HIPAA-covered entity must “[i]mplement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv)” (emphasis by court). UT had done so – it had policies that required portable and mobile devices to be encrypted, it provided employees certain technology (dongles) to encrypt these devices, and it trained them how to do so. DHHS argued that the mere fact that 3 devices were not encrypted meant that UT had violated the rule. The court disagreed:
[T]he Government argues that the stolen laptop and the two lost USB drives were not encrypted at all. That appears undisputed. But that does not mean M.D. Anderson failed to implement “a mechanism” to encrypt ePHI. It means only that three employees failed to abide by the encryption mechanism, or that M.D. Anderson did not enforce that mechanism rigorously enough. And nothing in HHS’s regulation says that a covered entity’s failure to encrypt three devices means that it never implemented “a mechanism” to encrypt anything at all.UT v. DHHS, at p. 7 (slip)
The court goes on to provide numerous examples of scenarios where unauthorized disclosure of unencrypted ePHI would likely not violate the regulation, primarily because the regulation is not written to make data loss a strict liability.
The same result was found under the Disclosure Rule. That rule in general prohibits a Covered Entity from “disclosing” PHI except as permitted by the rule. The Disclosure Rule defines “disclosure” to “mean the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. § 160.103. The administrative law judge held that the loss of data on unencrypted devices was a “release” however the court disagreed and stated “That interpretation departs from the regulation HHS wrote in at least three ways. First, each verb HHS uses to define “disclosure”—release, transfer, provide, and divulge—suggests an affirmative act of disclosure, not a passive loss of information. One does not ordinarily “transfer” or “provide” something as a sideline observer but as an active participant. The ALJ recognized as much when he defined “release” as “the act of setting something free.” But then he made the arbitrary jump to the conclusion that “anyloss of ePHI is a ‘release,’” even if the covered entity did not act to set free anything.It defies reason to say an entity affirmatively acts to disclose information when someone steals it.”
Finally, the court was particularly upset that the DHHS took the position that it “can arbitrarily and capriciously enforce the CMP rules against some covered entities and not others.” UT had argued that in other similar cases either no fine was imposed, or fines much smaller than the fine imposed on UT were imposed. It also argued that DHHS refused to consider factors expressly stated in its own regulations (none of which the DHHS could prove – for example, that any individual suffered financial harm)
This case is an incredible loss by the DHHS. It will need to completely overhaul its entire regulatory enforcement structure, most likely it will need to re-write regulations, and it will need to train its ALJs better about how to handle administrative law appeals in light of arguments made by the petitioners. Finally, the case is incredibly helpful for Covered Entities and Business Associates in their efforts to avoid civil money penalties for small and inadvertent infractions (as long as they otherwise meet data security requirements).
Importantly, all entities that store and process PHI should be careful in drafting their Business Associate Agreements and related agreements to distinguish between regulatory violations (which under this case are not strict liability in many scenarios), and contractual liability. Many Business Associate Agreements are written as if *any* “loss” of PHI outside of the entity is a breach. Business Associates should be careful in reviewing these agreements so as to not undertake greater liability than that imposed under the regulations.
For more information contact Mike Oliver
Oliver & Grimsley has been publicized in the 2021 edition of U.S. News and World Report’s “Best Law Firms” report – and has been since the firm’s inception in 2013. The report names Oliver & Grimsley as a Metropolitan Tier 1 Firm in Baltimore for Copyright, Information Technology, and Trademark Law and a National Tier 3 Firm for Information Technology Law. This was made possible by the hard work and diligence of team including, but not limited to, Kim Grimsley – who is recognized in The Best Lawyers in America for 2021 for her work in Copyright Law – and Mike Oliver – who has been named to the Best Lawyers list for the last 15 years (including 2021), and who has been named “Lawyer of the Year” in Baltimore for the following subjects and years: 2020 for Copyright Law (the third time), Information Technology Law in 2016, Trademark Law in 2015 and 2012, and Intellectual Property Law in 2011.
Oliver & Grimsley would like to thank our clients and peers alike for continuing to support us and recognizing the value of our work. We look forward to the years to come.