By Christopher Danley, an environmental attorney with Baker Botts LLP in Washington DC.


On January 14, 2021, the United States Court of Appeals for the Fifth Circuit issued a scathing opinion against the United States Department of Health and Human Services (“HHS”).  The facts in University of Texas M.D. Anderson Cancer Ctr. v. United States are straightforward.  Employees of M.D. Anderson lost unencrypted data containing patients’ health information in three instances in which that data should have been encrypted.  In one incident, a faculty member’s unprotected and unencrypted laptop was stolen.  In two other incidents, an M.D. Anderson trainee and a visiting researcher each lost an unencrypted thumb drive.  In total, the mishaps compromised approximately 35,000 patients’ health information.

M.D. Anderson reported these incidents to HHS.  HHS determined that M.D. Anderson violated two federal regulations relating to the protection of electronic health information.  The first regulation required entities to “[i]mplement a mechanism to encrypt” protected health information (the “Encryption Rule”).  The second regulation prohibited the unpermitted disclosure of protected health information (the “Disclosure Rule”).  For violations of both rules, HHS imposed a fine of $4,348,000.  M.D. Anderson sought review of the HHS fine at two levels of administrative appeals:  a HHS administrative law judge and the HHS Departmental Appeals Board.  After its star-chamber-like experience during the HHS administrative appeals process, M.D. Anderson petitioned the Fifth Circuit for judicial review.  Tellingly, after M.D. Anderson filed its appeal before the Fifth Circuit, HHS stated that about 90% of the fine was indefensible.

The Fifth Circuit held that the civil monetary penalty violated the Administrative Procedure Act (“APA”).  While the amount of deference a court owes to an agency’s interpretation of its own rules has been a point of contention, the Fifth Circuit sidestepped that debate in M.D. Anderson.  Here, neither the HHS administrative law judge nor the HHS Departmental Appeals Board addressed M.D. Anderson’s statutory arguments or whether the penalty was arbitrary or capricious.  Rather, HHS’s in-house appeals process seemed to exist to enforce any violations found by the Department.

In resolving the matter, the Fifth Circuit set forth a textbook analysis in statutory interpretation.  The court noted at the outset that deference to the federal government’s interpretation of a statute or regulation is only considered when there is ambiguous language.  Here, no such assertion was made so each regulation was given its plain meaning.  With this framework in place, the Fifth Circuit found multiple problems with the federal government’s actions.

First, the Encryption Rule required M.D. Anderson to “[i]mplement a mechanism to encrypt and decrypt electronic protected health information.”  HHS disputed the effectiveness of M.D. Anderson’s policies based on the loss of the unencrypted data and argued that M.D. Anderson should have done something differently to prevent this loss.  Essentially, HHS’s theory was that any loss of unencrypted data violated the Encryption Rule.  The Fifth Circuit found that M.D. Anderson had policies in place to protect health data and that M.D. Anderson provided resources and training to its employees to implement those policies.  Unfortunately, M.D. Anderson’s employees did not follow these policies, which led to the loss of unencrypted data.  Nevertheless, the Fifth Circuit held that M.D. Anderson “plainly” implemented a “mechanism” to protect health information.  Rather than get bogged down in a sliding scale of the effectiveness of the protective “mechanism,” the Fifth Circuit stayed on task to determine if the company had such a mechanism.  Once the court determined that M.D. Anderson put the required mechanism in place, it held the company was compliant with the Encryption Rule even if the mechanism’s effectiveness was in question.

Second, the Disclosure Rule prohibited M.D. Anderson from disclosing protected health information.  This regulation defined “disclosure” as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.”  In the litigation, HHS argued that “release” means any loss of control of information even if no one outside M.D. Anderson accessed the information.  The Fifth Circuit dismissed HHS’s argument as inconsistent with the plain language of the Disclosure Rule.  “Release” was an affirmative act as used in the regulation.  As such, M.D. Anderson did not release (or act affirmatively) when the hospital’s laptop containing this information was stolen.  Further, under their ordinary meaning, the verbs that defined “disclosure” were transitive so that protected health information must be transferred from one entity to another, and the receiving entity must be outside M.D. Anderson.  In the litigation, HHS was unable to prove that someone outside M.D. Anderson received the protected health information.

Third, the Fifth Circuit held that HHS acted arbitrarily and capriciously when it refused to benchmark the amount of civil monetary penalties levied against M.D. Anderson to penalties assessed against others.  Indeed, both the administrative law judge and the HHS Departmental Appeals Board rejected the use of the comparative standard to evaluate the penalties.  In the context of administrative law, the Fifth Circuit stated that the federal government must treat like cases the same or supply a reasoned analysis to distinguish matters.  Here, M.D. Anderson showed that other entities’ violations of the Encryption Rule had not resulted in financial penalties.  In one instance, a laptop containing unencrypted health information was stolen from a Cedars-Sinai employee, but HHS did not penalize the hospital.  HHS was unable to explain the distinctions between the two instances of theft.  The Fifth Circuit’s linkage of disparate punishments to the APA is a positive takeaway for not only those subject to HHS’s whims, but also for any business that faces uneven fines issued by a federal agency.

Finally, the Fifth Circuit found that HHS did not even correctly calculate the penalty amounts.  Under the relevant statute, violations of the Encryption Rule and Disclosure Rule are capped at $100,000 per year.  Somehow the administrative law judge and the HHS Departmental Appeals Board both determined that the statutory cap was $1,500,000 and meted out the penalty accordingly.  As a result, the administrative law judge ignored regulatory factors used to assess monetary penalties because the final amounts were considered lenient as compared to the maximum amount possible.  Thereafter, HHS attempted to sweep this mistake under the rug by publishing notice that it would use its discretion to limit the penalty to the correct statutory amount.  However, the Fifth Circuit held that the miscalculation of the penalty was arbitrary and capricious because the inflated penalty tainted the entire process.

Going forward, the federal executive branch should use the guidance in M.D. Anderson to make the administrative appeals process more rigorous.  Not all regulated entities will have the financial resources to seek judicial review of faulty penalties.  Just as importantly, throughout the review, the Fifth Circuit interpreted the regulations as written.  When HHS asserted that a rule was ineffective or too difficult to enforce, the Fifth Circuit directed HHS to promulgate revised rules rather than attempting to rewrite them on a case-by-case basis.  Thus, by limiting the federal executive branch, the Fifth Circuit maintained the checks and balances inherent in our federal government.