Univ. of Tex. M.D. Anderson Cancer Ctr. v. U.S. Dep't of Health & Human Servs.

• Decision Date: 14 January 2021
• Docket Number: No. 19-60226,19-60226
• Citation: 985 F.3d 472
• Parties: UNIVERSITY OF TEXAS M.D. ANDERSON CANCER CENTER, Petitioner, v. UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, Respondent.
• Court: U.S. Court of Appeals — Fifth Circuit

985 F.3d 472

UNIVERSITY OF TEXAS M.D. ANDERSON CANCER CENTER, Petitioner,

v.UNITED STATES DEPARTMENT OF HEALTH AND HUMAN SERVICES, Respondent.

No. 19-60226

United States Court of Appeals, Fifth Circuit.

FILED January 14, 2021

Brian Scott McBride, Esq., Attorney, John W. Petrelli, III, Morgan, Lewis & Bockius, L.L.P., Houston, TX, David Bruce Salmons, Esq., Morgan, Lewis & Bockius, L.L.P., Washington, DC, for Petitioner.

Anne M. Murphy, Trial Attorney, Abby Christine Wright, U.S. Department of Justice, Civil Division, Appellate Section, Washington, DC, Daniel Barry, Associate General Counsel, Washington, DC, Roger Carter Geer, Delores Thompson, Daniel Ray Wolfe, Jr., Assistant Regional Counsel, Assistant Regional Counsel, U.S. Department of Health & Human Services, Office of the General Counsel Region VI, Dallas, TX, for Respondent.

Before Wiener, Engelhardt, and Oldham, Circuit Judges.

Andrew S. Oldham, Circuit Judge:

Employees of the University of Texas M.D. Anderson Cancer Center ("M.D. Anderson" or "Petitioner") lost patients’ data. In response, the United States Department of Health and Human Services ("HHS" or the "Government") fined M.D. Anderson $4,348,000. After M.D. Anderson filed its petition for review, HHS conceded that it could not defend a fine in excess of $450,000. The Government's decision was arbitrary, capricious, and contrary to law. We grant the petition for review and vacate the penalty.

I.

Three unfortunate events set the stage for this lawsuit. First, back in 2012, an M.D. Anderson faculty member's laptop was stolen. The laptop was not encrypted or password-protected but contained "electronic protected health information (ePHI) for 29,021 individuals." Second, also in 2012, an M.D. Anderson trainee lost an unencrypted USB thumb drive during her evening commute. That thumb drive contained ePHI for over 2,000 individuals. Finally, in 2013, a visiting researcher at M.D. Anderson misplaced another unencrypted USB thumb drive, this time containing ePHI for nearly 3,600 individuals.

M.D. Anderson disclosed these incidents to HHS. Then HHS determined that M.D. Anderson had violated two federal regulations. HHS promulgated both of those regulations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act of 2009 (the "HITECH Act"). The first regulation requires entities covered by HIPAA and the HITECH Act to "[i]mplement a mechanism to encrypt" ePHI or adopt some other "reasonable and appropriate" method to limit access to patient data. 45 C.F.R. §§ 164.312(a)(2)(iv), 164.306(d) (the "Encryption Rule"). The second regulation prohibits the unpermitted disclosure of protected health information. Id. § 164.502(a) (the "Disclosure Rule").

HHS also determined that M.D. Anderson had "reasonable cause" to know that it had violated the rules. 42 U.S.C. § 1320d-5(a)(1)(B) (setting out the "reasonable cause" culpability standard). So, in a purported exercise of its power under 42 U.S.C. § 1320d-5 (HIPAA's enforcement provision), HHS assessed daily penalties of $1,348,000 for the Encryption Rule violations, $1,500,000 for the 2012 Disclosure Rule violations, and $1,500,000 for the 2013 Disclosure Rule violations. In total, HHS imposed a civil monetary penalty ("CMP" or "penalty") of $4,348,000.

M.D. Anderson unsuccessfully worked its way through two levels of administrative appeals. Then it petitioned our court for review. See 42 U.S.C. § 1320a-7a(e) (authorizing judicial review). After M.D. Anderson filed its petition, the Government conceded that it could not defend its penalty and asked us to reduce it by a factor of 10 to $450,000.

II.

The principal argument in M.D. Anderson's petition is that a state agency is not a "person" covered by HIPAA's enforcement provision. See 42 U.S.C. § 1320d-5. For the sake of today's decision, we assume that M.D. Anderson is such a "person" and that the enforcement provision therefore applies. The petition for review nonetheless must be granted for an independent reason: the CMP violates the Administrative Procedure Act ("APA").

A.

The APA directs us to "hold unlawful and set aside" agency actions that are "arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law." 5 U.S.C. § 706(2) ; see Windsor Place v. U.S. Dep't of Health & Hum. Servs. , 649 F.3d 293, 297 (5th Cir. 2011) (per curiam). To that end, we must "insist that an agency examine the relevant data and articulate a satisfactory explanation for its action." FCC v. Fox Television Stations, Inc. , 556 U.S. 502, 513, 129 S.Ct. 1800, 173 L.Ed.2d 738 (2009) (quotation omitted). Our review is "searching and careful," Marsh v. Or. Nat. Res. Council , 490 U.S. 360, 378, 109 S.Ct. 1851, 104 L.Ed.2d 377 (1989) (quotation omitted), and we only consider the reasoning "articulated by the agency itself," Motor Vehicle Mfrs. Ass'n v. State Farm Mut. Auto. Ins. Co. , 463 U.S. 29, 50, 103 S.Ct. 2856, 77 L.Ed.2d 443 (1983). Post hoc rationalizations offered by the Government's counsel are irrelevant. See ibid.

In conducting arbitrary-and-capricious review, we must ensure that the agency did not "entirely fail[ ] to consider an important aspect of the problem" that it seeks to address. Id. at 43, 103 S.Ct. 2856. And we must reject "an explanation for its decision that runs counter to the evidence before the agency, or is so implausible that it could not be ascribed to a difference in view or the product of agency expertise." Ibid. Put simply, we must set aside any action premised on reasoning that fails to account for "relevant factors" or evinces "a clear error of judgment." Marsh , 490 U.S. at 378, 109 S.Ct. 1851 (quotation omitted).

The Supreme Court also has "made clear, however, that a court is not to substitute its judgment for that of the agency and should uphold a decision of less than ideal clarity if the agency's path may reasonably be discerned." Fox , 556 U.S. at 513–14, 129 S.Ct. 1800 (quotation omitted). "Agencies ... have expertise and experience in administering their statutes that no court can properly ignore."

Judulang v. Holder , 565 U.S. 42, 53, 132 S.Ct. 476, 181 L.Ed.2d 449 (2011). "Fundamentally, the argument about agency expertise is less about the expertise of agencies in interpreting language than it is about the wisdom of according agencies broad flexibility to administer statutory schemes." Perez v. Mortg. Bankers Ass'n , 575 U.S. 92, 129, 135 S.Ct. 1199, 191 L.Ed.2d 186 (2015) (Thomas, J., concurring in the judgment).

But in this case, HHS steadfastly refused to interpret the statutes at all. The administrative law judge ("ALJ") began his opinion by emphasizing that he would "not address" any of M.D. Anderson's constitutional or statutory arguments. The ALJ understood his authority to extend only to enforcing HHS's regulations—not to interpreting HIPAA, the HITECH Act, any other statute, or any provision of the U.S. Constitution. As the ALJ put it: "My authority to hear and decide this case rests entirely on a delegation from the Secretary [of HHS]. Nothing in that delegation authorizes me to find that the Secretary's regulations are ultra vires ."

The ALJ likewise refused to consider whether the multi-million-dollar CMP was arbitrary or capricious. In response to M.D. Anderson's argument that the CMPs in "other instances of ePHI loss ... were far more lenient than what [the agency] requested in this case," the ALJ concluded: "I do not evaluate penalties based on a comparative standard. There is nothing in the regulations that suggests that I do so."

HHS's Departmental Appeals Board agreed with the ALJ. It held that M.D. Anderson is "free to make its ultra vires argument to a court, but we may not invalidate a regulation." And the Board likewise agreed with the ALJ that the agency has no power to review penalties for arbitrariness or capriciousness because "there is nothing in the regulations that suggests that the ALJ evaluate penalties based on a comparative standard."

Thus, with respect to M.D. Anderson's APA arguments—whether the CMP is arbitrary, capricious, or otherwise inconsistent with Congress's statutes—it is impossible for us to substitute our judgment for the agency's. See Fox , 556 U.S. at 513–14, 129 S.Ct. 1800. That's because the agency itself repeatedly insisted that it was not offering a judgment at all. In accordance with HHS's steadfast insistence in the administrative record, our review of M.D. Anderson's statutory arguments is de novo .

Our review of M.D. Anderson's regulatory arguments is also de novo . As the Supreme Court recently emphasized, "a court should not afford Auer deference unless the regulation is genuinely ambiguous." Kisor v. Wilkie , ––– U.S. ––––, 139 S. Ct. 2400, 2415, 204 L.Ed.2d 841 (2019).¹ HHS never suggests that its regulations are ambiguous, nor does it even cite Auer . Therefore, each HHS regulation "just means what it means—and the court must give it effect, as the court would any law." Ibid .

B.

The Government's CMP order against M.D. Anderson was arbitrary, capricious, and otherwise unlawful. That's for at least four independent reasons.

1.

Let's start with the Encryption Rule. That Rule provides, in relevant part, that a HIPAA-covered entity must "[i]mplement a mechanism to encrypt and decrypt electronic protected health information." 45 C.F.R. § 164.312(a)(2)(iv) (emphasis added).² It is undisputed that M.D. Anderson implemented "a mechanism." For example, M.D. Anderson's "Information Resources Acceptable Use Agreement and User Acknowledgement for Employees" specified: "If confidential or protected MDACC data is stored on portable computing devices, it must be encrypted and backed up to a network server for recovery in the event of a disaster or loss of information." M.D. Anderson furnished its employees an "IronKey" to encrypt and decrypt mobile devices and trained its employees on how to use it. M.D. Anderson also implemented a...