DHHS fine for HIPAA Computer Security Violations held arbitrary and capricious

In University of Texas M.D. Anderson Cancer Center v. US Dept of Health and Human Services, No. 19-60226 (5th Cir. 1/14/2021) the Fifth Circuit held that the DHHS’ fine for violating the HIPAA Security Rule was “arbitrary, capricious, and contrary to law.” To say that the government lost this case is an understatement – the government’s arguments were roundly rejected in broad language – so much so that the government is going to regret ever having brought this case . . .

In brief, University of Texas M.D. Anderson Cancer Center (UT) had three computer security lapses in the early 2010 period – one laptop and two thumb drives, each that stored electronic Protected Health Information (ePHI), were not encrypted, and were lost or stolen. The DHHS originally fined them over 4 million dollars for violating rules that in most cases require ePHI to be encrypted, and that prohibit disclosure of ePHI to unauthorized persons. UT’s administrative efforts on appeal were unsuccessful, but when they petitioned to have the case reviewed by the court, the DHHS admitted that the maximum fine they could impose was $450,000. UT however objected to even that fine on 2 grounds, that a state instrumentality is not a person under the HIPAA enforcement provisions, and that the fine was arbitrary and capricious under the Administrative Procedures Act. The court did not address the first argument and assumed UT was a person subject to HIPAA enforcement.

Under the HIPAA Security Rule, “a HIPAA-covered entity must “[i]mplement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv)” (emphasis by court). UT had done so – it had policies that required portable and mobile devices to be encrypted, it provided employees certain technology (dongles) to encrypt these devices, and it trained them how to do so. DHHS argued that the mere fact that 3 devices were not encrypted meant that UT had violated the rule. The court disagreed:

[T]he Government argues that the stolen laptop and the two lost USB drives were not encrypted at all. That appears undisputed. But that does not mean M.D. Anderson failed to implement “a mechanism” to encrypt ePHI. It means only that three employees failed to abide by the encryption mechanism, or that M.D. Anderson did not enforce that mechanism rigorously enough. And nothing in HHS’s regulation says that a covered entity’s failure to encrypt three devices means that it never implemented “a mechanism” to encrypt anything at all.

UT v. DHHS, at p. 7 (slip)

The court goes on to provide numerous examples of scenarios where unauthorized disclosure of unencrypted ePHI would likely not violate the regulation, primarily because the regulation is not written to make data loss a strict liability.

The same result was found under the Disclosure Rule. That rule in general prohibits a Covered Entity from “disclosing” PHI except as permitted by the rule. The Disclosure Rule defines “disclosure” to “mean[] the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. § 160.103. The administrative law judge held that the loss of data on unencrypted devices was a “release” however the court disagreed and stated “That interpretation departs from the regulation HHS wrote in at least three ways. First, each verb HHS uses to define “disclosure”—release, transfer, provide, and divulge—suggests an affirmative act of disclosure, not a passive loss of information. One does not ordinarily “transfer” or “provide” something as a sideline observer but as an active participant. The ALJ recognized as much when he defined “release” as “the act of setting something free.” But then he made the arbitrary jump to the conclusion that “anyloss of ePHI is a ‘release,’” even if the covered entity did not act to set free anything.It defies reason to say an entity affirmatively acts to disclose information when someone steals it.”

Finally, the court was particularly upset that the DHHS took the position that it “can arbitrarily and capriciously enforce the CMP rules against some covered entities and not others.” UT had argued that in other similar cases either no fine was imposed, or fines much smaller than the fine imposed on UT were imposed. It also argued that DHHS refused to consider factors expressly stated in its own regulations (none of which the DHHS could prove – for example, that any individual suffered financial harm)

This case is an incredible loss by the DHHS. It will need to completely overhaul its entire regulatory enforcement structure, most likely it will need to re-write regulations, and it will need to train its ALJs better about how to handle administrative law appeals in light of arguments made by the petitioners. Finally, the case is incredibly helpful for Covered Entities and Business Associates in their efforts to avoid civil money penalties for small and inadvertent infractions (as long as they otherwise meet data security requirements).

Importantly, all entities that store and process PHI should be careful in drafting their Business Associate Agreements and related agreements to distinguish between regulatory violations (which under this case are not strict liability in many scenarios), and contractual liability. Many Business Associate Agreements are written as if *any* “loss” of PHI outside of the entity is a breach. Business Associates should be careful in reviewing these agreements so as to not undertake greater liability than that imposed under the regulations.

For more information contact Mike Oliver

Oliver & Grimsley named a Tier 1 Baltimore and Tier 3 National firm in Information Technology Law by U.S. News – Best Lawyers® “Best Law Firms” in 2021

Oliver & Grimsley has been publicized in the 2021 edition of U.S. News and World Report’s “Best Law Firms” report – and has been since the firm’s inception in 2013.  The report names Oliver & Grimsley as a Metropolitan Tier 1 Firm in Baltimore for Copyright, Information Technology, and Trademark Law and a National Tier 3 Firm for Information Technology Law.  This was made possible by the hard work and diligence of team including, but not limited to, Kim Grimsley – who is recognized in The Best Lawyers in America for 2021 for her work in Copyright Law – and Mike Oliver – who has been named to the Best Lawyers list for the last 15 years (including 2021), and who has been named “Lawyer of the Year” in Baltimore for the following subjects and years: 2020 for Copyright Law (the third time), Information Technology Law in 2016, Trademark Law in 2015 and 2012, and Intellectual Property Law in 2011. 

Oliver & Grimsley would like to thank our clients and peers alike for continuing to support us and recognizing the value of our work.  We look forward to the years to come.

Kim Grimsley recognized as Best Lawyer in 27th Edition of The Best Lawyers in America®

After a proud 20-year-career of serving clients in the field of intellectual property, Kim Grimsley has been honored in the 27th Edition of The Best Lawyers in America© for her diligent work in copyright law. Lawyers awarded this distinction are judged by region and practice area after being nominated by their peers.

Additionally, Oliver & Grimsley, LLC received Regional Tier 1 ranking for Baltimore in Copyright, Information Technology, and Trademark Law and a National Tier 3 ranking in the 2021 U.S.News – Best Lawyers® “Best Law Firms” for Information Technology Law.

Everyone at Oliver & Grimsley would like to congratulate Kim on her achievement and look forward to her continuing to excel in the future

7th Anniversary amidst the COVID pandemic

This is our Firm’s 7th anniversary. Like so many people who are celebrating birthdays, wedding anniversaries and other significant events during the COVID pandemic, we are all working remotely, apart, and unable to do any activity in close proximity to each other. Luckily for us, we and our families, and all of our clients (and their families) to our best knowledge, are healthy. Not everyone is so lucky. The pandemic has a lot of people down, and for sure, it is really hard on front line health care workers, first responders, and regular workers who are just doing their jobs in tough circumstances – like working at grocery stores – not to mention all of their families who risk a lot more contact with the virus. Indeed, our staff have family members serving in these vital roles. So this year our firm just wants to say thanks to all of the people out there who are working so hard to minimize the impact of the virus here in Maryland, and risking their own health and health of their families. We appreciate your work, and hope when this subsides that you can take some time off, and physically and mentally recover.

CARES Act Loan Provisions Overview

Congress passed and the President signed H.R. 748 on March 27, 2020 in light of the recent Coronavirus / COVID outbreak. It contains the single largest government spending program ever enacted or implemented. Many clients are debating whether to make use of a portion of the act – specifically Div A, Title I, KEEPING AMERICAN WORKERS PAID AND EMPLOYED ACT. That Section allows the Small Business Administration to guarantee and in some cases pay off certain loans that would otherwise not be available to small businesses. The entire CARES Act can be viewed here https://www.congress.gov/116/bills/hr748/BILLS-116hr748enr.xml This post is an overview of that loan program and the ability to have some or all of the loan forgiven.

Before providing the overview, any client considering using this loan program should consider how likely the loan will be approved to be forgiven – and how much might not be forgiven. Even if a loan is not forgiven, there are valid reasons to consider using this loan program because the loan terms are generally very favorable as compared to regular SBA loans. Some businesses however, for example, businesses that have few or no employees, such as real estate holding companies – will not really benefit from this. However, their tenants might benefit from this because a covered cost includes rent. If their tenants are able to re-employ their workers in a fairly short time frame, the loan amount for those expenses might largely be forgiven.

Overview

  1. Eligibility:  In general, any business, including non-profits, sole proprietorships, contractors etc are eligible – but they generally must have less than 500 employees and have been in business as of 2/15/2020.[1] 
  2. Amount:  The maximum loan is 2.5 X the total payroll costs of the eligible business for the 1 year period prior to the date the loan is made, not to exceed $10,000,000. Businesses that have been in business for less time can still obtain a loan.
  3. Period:  The loan must be made between February 15, 2020 and June 30, 2020.
  4. Interest rate:  Interest cannot exceed 4%.
  5. Precondition:  The eligible business must make certification that it has been impacted by COVID, however, the certification is very broad.
  6. Use of funds:  Funds from the loan may only be used for eligible expenses which are: payroll costs; group health care benefits; employee related insurance premiums employee salaries, commissions, or similar compensations, payments of interest on any mortgage obligation, rent, utilities; and interest on any other debt obligations that were incurred before the covered period started.  Note that these types of expenses can extend past the “covered period” for loan forgiveness.
  7. Fees: All application fees are waived. All requirements for personal guarantees are also waived.
  8. Repayment deferral:  Lenders MUST defer all payments (interest and principal) for at least 6 months, but not more than 1 year.
  9. Forgiveness: The eligible business may request that the loan be forgiven for covered costs incurred during the “covered period” which is the 8 week period commencing on the date of the loan origination.
    • Covered costs are rent on leases entered into before February 15, 2020, payroll costs[2] (during the covered period), payments of interest on any covered mortgage obligation, and payments on covered utility payments.
    • The maximum forgiveness cannot exceed the covered loan amount.[3]
    • The amount to be forgiven is reduced on a formula of the average number of “full-time equivalent employees”[4] per month employed by the eligible recipient during the covered period, as compared to the same number in either the period of January 1, 2020 and ending on February 29, 2020 or the period February 15, 2019 and ending on June 30, 2019 (at the election of the borrower), but . . .
    • If the eligible business had reduced hours of full time equivalent employees in the period 2/15/2020 and ending on 4/27/2020, such reductions shall not be used in the above calculation as long as such reductions are reinstated not later than June 30, 2020.

More detailed provisions supporting the above summary

H.R. 748, Div A, Title I, KEEPING AMERICAN WORKERS PAID AND EMPLOYED ACT

Sec. 1102(a)(1)(A)(iii) – the term ‘covered period’ means the period beginning on February 15, 2020 and ending on June 30, 2020;

(viii) – “payroll costs” – generally, all costs, including retirement, PTO, tips, health insurance, but: capped at 100K over a year, does not include costs for employees whose principal residence is located outside of US, does not include employee tax withholdings, does not include payments under section 7001 of the Families First Coronavirus Response Act (Public Law 116–127).

Sec. 1102(a)(1)(D) – must have less than 500 employees (complex formulas and requirements as to how to count them, and for multi-location businesses)

Sec. 1102(a)(1)(E) – maximum loan is generally 2.5 X the average total monthly payments by the applicant for payroll costs incurred during the 1-year period before the date on which the loan is made, capped at $10,000,000. Formula is different if business was started after 2/15/19.

Sec. 1102(a)(1)(F) ALLOWABLE USES OF COVERED LOANS.—

“(i) IN GENERAL.—During the covered period, an eligible recipient may, in addition to the allowable uses of a loan made under this subsection, use the proceeds of the covered loan for—

“(I) payroll costs;

“(II) costs related to the continuation of group health care benefits during periods of paid sick, medical, or family leave, and insurance premiums;

“(III) employee salaries, commissions, or similar compensations;

“(IV) payments of interest on any mortgage obligation (which shall not include any prepayment of or payment of principal on a mortgage obligation);

“(V) rent (including rent under a lease agreement);

“(VI) utilities; and

“(VII) interest on any other debt obligations that were incurred before the covered period.

Sec. 1102(a)(1)(F)(ii)(II) A lender must consider the age of the business, especially if it either was not in operation as of 2/15/2020, or had no employees or contractors.

Sec. 1102(a)(1)(G) BORROWER REQUIREMENTS.— in general the borrower has to certify that

“(I) that the uncertainty of current economic conditions makes necessary the loan request to support the ongoing operations of the eligible recipient;

“(II) acknowledging that funds will be used to retain workers and maintain payroll or make mortgage payments, lease payments, and utility payments;

“(III) that the eligible recipient does not have an application pending for a loan under this subsection for the same purpose and duplicative of amounts applied for or received under a covered loan; and

“(IV) during the period beginning on February 15, 2020 and ending on December 31, 2020, that the eligible recipient has not received amounts under this subsection for the same purpose and duplicative of amounts applied for or received under a covered loan.

All application fees are waived, and there is no personal guaranty requirement.

Loans cannot exceed 4% interest

All payments on loans must be deferred at least 6 months, and not more than 1 year.

Loan Forgiveness, Sec. 1106.

“covered period” means the 8-week period beginning on the date of the origination of a covered loan;

“covered rent obligation” means rent obligated under a leasing agreement in force before February 15, 2020;

“expected forgiveness amount” means the amount of principal that a lender reasonably expects a borrower to expend during the covered period on the sum of any—

(A) payroll costs;

(B) payments of interest on any covered mortgage obligation (which shall not include any prepayment of or payment of principal on a covered mortgage obligation);

(C) payments on any covered rent obligation; and

(D) covered utility payments;…

Limits on forgiveness:  “The amount of loan forgiveness under this section shall not exceed the principal amount of the financing made available under the applicable covered loan.”  §  1106(d)

Amount is reduced by a formula:

(the average number of full-time equivalent employees per month employed by the eligible recipient during the covered period)


DIVIDED BY

EITHER:

(the average number of full-time equivalent employees per month employed by the eligible recipient during the period beginning on February 15, 2019 and ending on June 30, 2019)

OR

(the average number of full-time equivalent employees per month employed by the eligible recipient during the period beginning on January 1, 2020 and ending on February 29, 2020)

In addition, “The amount of loan forgiveness under this section shall be reduced by the amount of any reduction in total salary or wages [of any employee making less than 100K] … during the covered period that is in excess of 25 percent of the total salary or wages of the employee during the most recent full quarter during which the employee was employed before the covered period.”

Finally, “the amount of loan forgiveness under this section shall be determined without regard to a reduction in the number of full-time equivalent employees of an eligible recipient or a reduction in the salary of 1 or more employees of the eligible recipient, as applicable, during the period beginning on February 15, 2020 and ending on [April 27, 2020]” if

EITHER OR BOTH OF THE FOLLOWING ARE TRUE:

“(I) during the period beginning on February 15, 2020 and ending on [April 27, 2020], there is a reduction, as compared to February 15, 2020, in the number of full-time equivalent employees of an eligible recipient; and (II) not later than June 30, 2020, the eligible employer has eliminated the reduction in the number of full-time equivalent employees;

(I) during the period beginning on February 15, 2020 and ending on [April 27, 2020], there is a reduction, as compared to February 15, 2020, in the salary or wages of 1 or more employees of the eligible recipient; and (II) not later than June 30, 2020, the eligible employer has eliminated the reduction in the salary or wages of such employees


[1] A business formed or started after this date might be eligible, it is a factor in the loan underwriting.  Multi-location businesses with more than 500 employees might also be eligible.

[2] Note that there are no exclusions for payroll paid to owners, so long as the owner is not making more than 100K.

[3] It is not clear if they intended this to mean “plus interest”

[4] Note therefore that part time employees are covered but are calculated on a “full time equivalent” basis.