Attack of a Paper Tiger: Ignoring Own Policies Leads to HIPAA Fine

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

On June 18, 2018, the Office for Civil Rights released a decision and memorandum from an Administrative Law Judge following a dispute over HIPAA fines imposed against The University of Texas MD Anderson Cancer Center (MD Anderson). The decision for all intents and purposes draws a clear line in the sand that encryption, despite being an addressable element under the Security Rule, cannot be avoided.

An outline of the facts will help to set the stage. OCR investigated MD Anderson following submission of three separate breach notifications. One notification concerned a stolen laptop and the other two involved stolen thumb drives. In each instance, the device was not encrypted. As described in the decision, MD Anderson for years identified the risk associated with unencrypted data on laptops, portable devices and other devices. MD Anderson at many points in time set internal policies that encryption was the most appropriate means of addressing the risk posed by such devices.

After dragging its feet for years on implementing the encryption, even fully stopping all plans at one point over lack of funding, MD Anderson began a slow process of encrypting its devices. However, those efforts still took years with significant portions of identified devices remaining unencrypted following report of the breaches that formed the basis of the issue behind the decision.

In trying to appeal OCR’s imposition of a $4.3 million fine, MD Anderson asserted that encryption is not mandated by either the HIPAA statute or regulations. The administrative law judge rejected this argument, stating that HIPAA requires entities to render all systems containing protected health information inaccessible to unauthorized users. The ALJ was careful to suggest that encryption is not mandated, but found encryption required in MD Anderson’s case because it self-identified that encryption was the best means of rendering the information inaccessible. Despite not explicitly stating that encryption is mandatory, a question does exist as to what alternative viably list other than encryption to render information inaccessible.

The decision addresses other elements of HIPAA compliance and what constitutes a breach. In that regard, another interesting area of the decision to explore is MD Anderson’s failed argument that mere loss of an unencrypted device does not constitute a disclosure not permitted under HIPAA. Arguably, that assertion is an attempt of throwing concepts at the wall in the hope that one would stick to reduce or remove the penalty. As expected, the ALJ did not accept MD Anderson’s argument. The ALJ stated that an impermissible release is enough to show a violation of the HIPAA privacy requirements. Using the general definition of release, it can include setting free from restraint, which practically means losing control. What more fully constitutes losing control of something than having it stolen or not knowing where it is. The ALJ also contrasted the situation from claims for private damages that actual access is not necessary since the HIPAA regulatory scheme seeks to ensure that entities are maintaining and securing information.

As noted, the decision against MD Anderson is important from the perspective that it seems to mandate encryption. As described above, the ALJ never directly stated that HIPAA mandates encryption. The Security Rule includes encryption as an addressable element. As should be known, addressable elements are not optional, but flexible in the approach of how to implement. As already described, the ALJ focused on the need to render information inaccessible, which could be done through any variety of means selected by the entity. Accordingly, if some viable means aside from encryption is or becomes available, then an entity may be able to use that instead of encryption. Without a thorough technical background, at this point in time, it is not clear how information can be rendered inaccessible other than with encryption.

Leaving aside the nuance of whether encryption is in fact now required, it should be noted that many will interpret the decision as mandating encryption. It will also remain to be seen how OCR uses the decision when it comes to encryption. Since government agencies rarely want to set a clear line in the sand, it should not be expected that OCR will come out and clearly state that encryption is now required.

Taking a longer-term view, it is actually beneficial that encryption has not been identified as essential. Arguments are being made that it will soon be relatively “easy” to break encryption as different forms of machine learning quantum computing or other technological breakthroughs continue to be developed. On the defensive side, suggestions have been made the artificial intelligence should be implemented as part of the security mechanism, which can be used to proactively block attackers. Would this be sufficient? As with so many things, it depends.

Whether encryption is, in fact, mandatory is not the real takeaway from the MD Anderson decision. What entities should actually takeaway is that security is about protecting information and taking all reasonable steps to prevent others from accessing the information.

The other big takeaway is that an entity’s own plans and policies will often establish the basis for it to get int trouble. MD Anderson ran into issues because it did not follow its own policies for years on end despite repeatedly identifying the risk for not encrypting devices. The decision leaned very heavily on MD Anderson’s own decisions and no follow through. Remember, policies written and put on the shelf without ever being considered again are worse than ignoring a policy.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.