By Leslie Francis
In a caustic opinion issued on January 14, the Fifth Circuit vacated penalties assessed by the U.S. Department of Health and Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center for HIPAA security breaches.
As has happened to many other health care entities, M.D. Anderson had employees who were not careful with their laptops and thumb drives (and the data therein). A laptop with the unencrypted protected health care information of nearly 30,000 patients was stolen. Unencrypted thumb drives with information on another almost 6,000 patients were lost. M.D. Anderson disclosed the security breaches to HHS, which assessed civil monetary penalties for violation of HIPAA’s encryption and disclosure rules. M.D. Anderson then filed a petition for review, which resulted in the Fifth Circuit holding that the agency action was arbitrary and capricious for failure to consider an important aspect of the problem.
Commentators have already pointed out that this decision will reverberate throughout the HIPAA enforcement world. As it does, I hope it is met with scorn, for it trades on the informal logical fallacy of the false dilemma in two noteworthy ways.
Here’s the first, about encryption as “addressable.”
Under the HIPAA security rule 45 C.F.R. § 164.312(a)(iv), encryption and decryption are “addressable” requirements. This means that covered entities must assess whether the standard is “a reasonable and appropriate safeguard in its environment,” and either implement the specification or document why doing so would not be reasonable and appropriate 45 C.F.R. § 164.306(d)(3).
In circumstances where encryption is deemed appropriate, the rule then requires the covered entity to “[i]mplement a mechanism” to carry it out 45 C.F.R. § 164.312(a)(ii).
It was undisputable that M.D. Anderson had “a mechanism”: it gave people an encryption key and instructed them on its use. Some employees just failed to use encryption. M.D. Anderson, said the court, could not be expected under the rule to provide “bullet-proof” security.
But HHS did not penalize M.D. Anderson for being imperfect; HHS penalized M.D. Anderson for not having taken further steps about encryption when it had determined that more was needed in the circumstances in which it operated.
According to the Fifth Circuit, though, the only two options before the agency under the security rule as it stands were either to: recognize that a mechanism is a mechanism or specify through rulemaking what might make a mechanism or its implementation appropriate. Tellingly, in a footnote, the court says it is “ignoring” the addressability “carveout”: that is, whether M.D. Anderson had met the standard for determining whether encryption was a reasonable and appropriate safeguard in its environment.
Here’s the other false dilemma in the Fifth Circuit’s ruling: what “disclosure” means. The HIPAA rules define disclosure as the “release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. § 160.103.
According to the court, the agency had treated any loss of control as disclosure, but the regulatory language “suggests an affirmative act of disclosure, not a passive loss of information.”
Further, said the court, “[o]ne does not ordinarily ‘transfer’ or ‘provide’ something as a sideline observer but as an active participant . . . It defies reason to say that an entity affirmatively acts to disclose information when someone steals it.”
This characterization reveals the “action/omission” distinction in all of its tattered glory, ignoring the role that actions may play in absences or failures. M.D. Anderson did not hand the laptop over to a thief or instruct its employees to scatter thumb drives for the public to pick up on their way home. But M.D. Anderson let its employees have access to protected health information and copy it onto unencrypted laptops or thumb drives, a complex set of actions that made what happened all too predictable.
The Fifth Circuit’s black and white reasoning is not just a common flaw pointed out in elementary informal logic texts. It guts the idea of flexibility that undergirds the HIPAA security rule. “Addressable” does not mean that a covered entity may adopt any mechanism of its choosing. Rather, it means that a standard is left flexible so that covered entities may choose among “reasonable and appropriate safeguards” for the environment in which it functions. “Disclose” does not mean just hand over. Rather, it means both affirmative transfer and “any manner” of divulgence.
Much more, of course, remains to be said about whether the level of flexibility in the HIPAA security rule strikes a reasonable balance among values such as innovation, efficiency, and patient protection. But the Fifth Circuit’s black and white approach will not advance the debate.