Mike Oliver and Kim Grimsley Recognized Again in the 28th Edition of the Best Lawyers®️ in America

Best Lawyers, an international lawyer ranking and referring source that is currently celebrating its 40th anniversary, has announced its 28th Edition of The Best Lawyers in America® for 2022, which will include Mike Oliver and Kim Grimsley.  In order to be featured, lawyers are nominated, critiqued by currently recognized lawyers on the caliber of their work, and analyzed accordingly.

Mike Oliver has been recognized in this publication for the past 16 years since being recognized initially in 2006.  He is also recognized as “Lawyer of the Year” for his work in Trademark Law in Baltimore – which will also be his 8th “Lawyer of the Year” award, having previously been named for his work in various fields, including copyright, intellectual property, and information technology law. This is granted to only one lawyer per specialty and location a year, given to lawyers with the highest overall peer-feedback in such area and region.

Mike has been practicing intellectual property law for over 30 years.  In addition, his knowledge as a computer programmer has been a valuable asset for those clients in the software and technology industry.

Kim Grimsley has been recognized again in this publication for her professional excellence by her peers – she is being recognized in the fields of Copyright Law and Trademark Law.  This will be Kim’s second year being featured.

Kim has been practicing intellectual property law for 20 years, and she has enjoyed working with clients – from start-up businesses to publicly traded companies in all industries – in building and protecting their intellectual property in the United States and worldwide.

Everyone at Oliver & Grimsley would like to congratulate Kim and Mike on their continued hard work and excellence. 

Kudos to Our Client Hunt A Killer, a Creative and Explosive Maryland-based Company with Exciting Adventures Coming Your Way!

Hunt A Killer started in 2016 with a plan to immerse its audience in the world of crime solving. Mixing the cultural fascination of true crime with the game play strategy of a roleplay tabletop game, their monthly subscription box quickly took off with consumers, and the company has grown with more than 3 million game boxes shipped. Now, the Maryland-based company that started with a pair of childhood friends is venturing into the world of publishing as it teams up with Scholastic Books.

Planned to release in spring of 2022, the first book in the Hunt A Killer series will be a young adult novel called Perfect Score by Angelica Monai. It will follow the story of a young sleuth, Jo, who witnesses what she believes to be a murder after moving to a new school. It is currently available for pre-order for paperback and e-book.

That is not all – the interactive game company is also teaming up with the classic young adult detective, Nancy Drew. In October 2021, a special game box called “Mystery at Magnolia Gardens” is planned to release. Players will be tasked with piecing together all the clues Nancy Drew has gathered in order to solve a mysterious poisoning.

Last year, Hunt A Killer teamed with Lionsgate Games to produce a special series based on the Blair Witch universe.

As a client of Oliver & Grimsley, our entire team would like to congratulate Hunt A Killer’s crew on their continued success. We are honored to have the opportunity to work with them and look forward to seeing what new projects are in store for the future. Kudos to you Hunt A Killer!

Kim Grimsley recognized in Best Lawyers 2021 “Women in the Law” Edition

The sixth annual “Women in the Law” Business Edition of The Best Lawyers in America released June 4th, 2021 and lists Oliver & Grimsley’s own Kim Grimsley as one of the four named women in IP in the Baltimore area. The publication features female attorneys from across the United States in all practice areas that are honored with the Best Lawyer distinction. To achieve such distinction, lawyers are nominated by their peers and then judged by region and practice area. 

Kim Grimsley has over 20 years of experience in intellectual property matters, with trademark clients from across the globe. In 2013, she opened Oliver & Grimsley, LLC with partner Mike Oliver. Kim was recently honored in the 27th Edition of The Best Lawyers in America, where Oliver & Grimsley, LLC was also featured as Regional Tier 1 ranking for Baltimore in Copyright, Information Technology, and Trademark Law and a National Tier 3 ranking in the 2021 U.S.News – Best Lawyers® “Best Law Firms” for Information Technology Law.

Everyone at Oliver & Grimsley would like to congratulate Kim on her achievement and look forward to her continuing to excel in the future.

DHHS fine for HIPAA Computer Security Violations held arbitrary and capricious

In University of Texas M.D. Anderson Cancer Center v. US Dept of Health and Human Services, No. 19-60226 (5th Cir. 1/14/2021) the Fifth Circuit held that the DHHS’ fine for violating the HIPAA Security Rule was “arbitrary, capricious, and contrary to law.” To say that the government lost this case is an understatement – the government’s arguments were roundly rejected in broad language – so much so that the government is going to regret ever having brought this case . . .

In brief, University of Texas M.D. Anderson Cancer Center (UT) had three computer security lapses in the early 2010 period – one laptop and two thumb drives, each that stored electronic Protected Health Information (ePHI), were not encrypted, and were lost or stolen. The DHHS originally fined them over 4 million dollars for violating rules that in most cases require ePHI to be encrypted, and that prohibit disclosure of ePHI to unauthorized persons. UT’s administrative efforts on appeal were unsuccessful, but when they petitioned to have the case reviewed by the court, the DHHS admitted that the maximum fine they could impose was $450,000. UT however objected to even that fine on 2 grounds, that a state instrumentality is not a person under the HIPAA enforcement provisions, and that the fine was arbitrary and capricious under the Administrative Procedures Act. The court did not address the first argument and assumed UT was a person subject to HIPAA enforcement.

Under the HIPAA Security Rule, “a HIPAA-covered entity must “[i]mplement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv)” (emphasis by court). UT had done so – it had policies that required portable and mobile devices to be encrypted, it provided employees certain technology (dongles) to encrypt these devices, and it trained them how to do so. DHHS argued that the mere fact that 3 devices were not encrypted meant that UT had violated the rule. The court disagreed:

[T]he Government argues that the stolen laptop and the two lost USB drives were not encrypted at all. That appears undisputed. But that does not mean M.D. Anderson failed to implement “a mechanism” to encrypt ePHI. It means only that three employees failed to abide by the encryption mechanism, or that M.D. Anderson did not enforce that mechanism rigorously enough. And nothing in HHS’s regulation says that a covered entity’s failure to encrypt three devices means that it never implemented “a mechanism” to encrypt anything at all.

UT v. DHHS, at p. 7 (slip)

The court goes on to provide numerous examples of scenarios where unauthorized disclosure of unencrypted ePHI would likely not violate the regulation, primarily because the regulation is not written to make data loss a strict liability.

The same result was found under the Disclosure Rule. That rule in general prohibits a Covered Entity from “disclosing” PHI except as permitted by the rule. The Disclosure Rule defines “disclosure” to “mean[] the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. § 160.103. The administrative law judge held that the loss of data on unencrypted devices was a “release” however the court disagreed and stated “That interpretation departs from the regulation HHS wrote in at least three ways. First, each verb HHS uses to define “disclosure”—release, transfer, provide, and divulge—suggests an affirmative act of disclosure, not a passive loss of information. One does not ordinarily “transfer” or “provide” something as a sideline observer but as an active participant. The ALJ recognized as much when he defined “release” as “the act of setting something free.” But then he made the arbitrary jump to the conclusion that “anyloss of ePHI is a ‘release,’” even if the covered entity did not act to set free anything.It defies reason to say an entity affirmatively acts to disclose information when someone steals it.”

Finally, the court was particularly upset that the DHHS took the position that it “can arbitrarily and capriciously enforce the CMP rules against some covered entities and not others.” UT had argued that in other similar cases either no fine was imposed, or fines much smaller than the fine imposed on UT were imposed. It also argued that DHHS refused to consider factors expressly stated in its own regulations (none of which the DHHS could prove – for example, that any individual suffered financial harm)

This case is an incredible loss by the DHHS. It will need to completely overhaul its entire regulatory enforcement structure, most likely it will need to re-write regulations, and it will need to train its ALJs better about how to handle administrative law appeals in light of arguments made by the petitioners. Finally, the case is incredibly helpful for Covered Entities and Business Associates in their efforts to avoid civil money penalties for small and inadvertent infractions (as long as they otherwise meet data security requirements).

Importantly, all entities that store and process PHI should be careful in drafting their Business Associate Agreements and related agreements to distinguish between regulatory violations (which under this case are not strict liability in many scenarios), and contractual liability. Many Business Associate Agreements are written as if *any* “loss” of PHI outside of the entity is a breach. Business Associates should be careful in reviewing these agreements so as to not undertake greater liability than that imposed under the regulations.

For more information contact Mike Oliver

Oliver & Grimsley named a Tier 1 Baltimore and Tier 3 National firm in Information Technology Law by U.S. News – Best Lawyers® “Best Law Firms” in 2021

Oliver & Grimsley has been publicized in the 2021 edition of U.S. News and World Report’s “Best Law Firms” report – and has been since the firm’s inception in 2013.  The report names Oliver & Grimsley as a Metropolitan Tier 1 Firm in Baltimore for Copyright, Information Technology, and Trademark Law and a National Tier 3 Firm for Information Technology Law.  This was made possible by the hard work and diligence of team including, but not limited to, Kim Grimsley – who is recognized in The Best Lawyers in America for 2021 for her work in Copyright Law – and Mike Oliver – who has been named to the Best Lawyers list for the last 15 years (including 2021), and who has been named “Lawyer of the Year” in Baltimore for the following subjects and years: 2020 for Copyright Law (the third time), Information Technology Law in 2016, Trademark Law in 2015 and 2012, and Intellectual Property Law in 2011. 

Oliver & Grimsley would like to thank our clients and peers alike for continuing to support us and recognizing the value of our work.  We look forward to the years to come.