The Future for Healthcare Is So Loper Bright, I Gotta Wear Shades

07/31/2024|9 minute read

On June 28, in Loper Bright Enterprises v. Raimondo (Loper Bright), the U.S. Supreme Court overturned the doctrine of Chevron deference, upending 40 years of precedent and significantly shifting power to the courts to interpret laws administered by federal agencies. As one of the most heavily regulated industries at the federal level, the healthcare industry is sure to feel this change acutely. Here, we examine Loper Bright's impact on one agency in particular - the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency responsible for enforcing the Health Insurance Portability and Accountability Act's (HIPAA) Privacy, Security and Breach Notification Rules - and the healthcare entities it regulates.

Key Takeaways

• Healthcare entities can take advantage of expected fallout from Loper Bright in that federal courts are expected to interpret ambiguous statutes independently and will not be required to give any weight to the agency's interpretation.
• To avoid judicial scrutiny, OCR is likely to take a more methodical approach to its guidance and enforcement actions against HIPAA-regulated entities, providing more detail on its findings to map to the regulations.
• Certain areas of HIPAA are ripe for challenges and others less so. While healthcare entities may find the courthouse to be a friend in HIPAA interpretation against the OCR, they may face uncertainty as to which interpretation applies to them, depending on their jurisdiction and varying court interpretations.

Background: What Is "Chevron Deference"?

In 1984, in Chevron v. National Resources Defense Council (Chevron), the Supreme Court adopted a two-step approach broadly applicable to review of agency action. Chevron required courts reviewing agency action to first discern whether Congress had spoken to the specific issue. If it had not, the court would then defer to the agency's interpretation of the law or regulation, unless the federal agency had adopted an unreasonable or impermissible position or violated another statutory obligation, such as the procedure used to adopt the decision or rule. Chevron explained that such deference was appropriate because of agencies' expertise, experience and political accountability in resolving statutory ambiguity.

This approach - which came to be known as the Chevron doctrine - essentially gave federal administrative agencies the primary role in interpreting and enforcing ambiguous statutes and regulations, thereby significantly reducing the role federal courts have played in reviewing administrative agencies' rules and orders for the past 40 years. The primary criticism of the Chevron doctrine was that it gave unelected federal officials too much power to craft regulations that were practically shielded from judicial review - even if the agency's interpretation was a novel approach or conflicted or changed with successive presidential administrations.

Loper Bright's Reasoning

In Loper Bright, the Court concluded that the Chevron doctrine could not be reconciled with the Administrative Procedure Act (APA) - which specifies that courts, not agencies, will decide "all relevant questions of law" arising on review of agency action - and the long-standing rule that courts "say what the law is," citing Marbury v. Madison from way back in 1803.As the Court puts it, rather than requiring that "respect" be given to executive branch interpretations, Chevron "demands … binding deference to agency interpretations" even when the agency's interpretation has shifted over time or the courts have ruled otherwise.

Going forward, although courts may consider an agency's interpretation of an ambiguous statute, Loper Bright explains that they cannot defer to it but "must exercise their independent judgment in deciding whether an agency has acted within its statutory authority." Loper Bright rejected the notion that agencies' subject matter expertise in the statutes they administer warrants deference, pointing out that Congress expects courts to handle statutory questions, and courts did so for over a century without issue in agency cases before Chevron. Loper Bright states that although it may be informative, an agency's interpretation of a statute cannot bind a court.

Impact on OCR Guidance & Enforcement

With Chevron deference no more, we expect a significant shift in the landscape of federal administrative law for healthcare entities. Loper Bright has opened up new opportunities to challenge rules and actions that were previously thought to be unchallengeable. In addition, we anticipate federal agencies will take a more cautious, methodical approach to rulemaking as courts will now have more freedom to use their own judgment under the APA.

Agencies under HHS, including OCR, have a complex web of rules, regulations and other guidance they administer, which many argue often surpasses the authority granted by Congress. Indeed, OCR has historically issued guidance that stretches statutory language (to put it mildly) and has gone down the road to enforcement where the alleged violation is tenuous. Despite this, OCR has very rarely been challenged in the courts. Notably, even in the era of Chevron deference, when OCR was challenged in its enforcement of HIPAA, the courts have sided with the challenger.Successful challenges from HIPAA-regulated entities are found in Ciox Health, LLC v. Azar, 35 F. Supp. 3d 30 (D.D.C. 2020), in The University of Texas M.D. Anderson Cancer Center v. United States Department of Health and Human Services, No. 19-60226 (5th Cir. 2021), and recently in American Hospital Association et al. v. Becerra, No. 4:23-cv-01110-P (N.D. Tex., June 20, 2024). Based on our experience in defending healthcare entities since OCR became the HIPAA enforcers, below we offer several areas that may be ripe for a Loper Bright challenge.

The HIPAA Security Rule is one area where OCR has scrutinized covered entities and business associates with inconsistent interpretations and application of the rule in its investigations. Looking at recent OCR resolution agreements and corrective action plans, nearly all have found some delinquency in the entities' security risk analyses. While HIPAA requires a regulated entity to conduct a security risk analysis, the requirement is vague, specifically stating that it be "an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [regulated] entity." 45 C.F.R. 164.308(a)(1)(ii)(A).

In the Health Information Technology for Economic and Clinical Health Act, Congress tasked HHS with issuing annual guidance on "effective and appropriate technical safeguards for the Security Rule, including the risk analysis requirement. The Supreme Court in Loper Bright addressed this scenario, i.e., where Congress expressly delegates to an agency the authority to give meaning to a particular statutory term:

Pursuant to this delegation, OCR has issued various guidance pieces on complying with the risk analysis requirement. The guidance itself is unlikely to be challenged - even in a post-Chevron world - given that the statutory text is vague and Congress has specifically tasked HHS with issuing such guidance. However, while its guidance on risk analyses may be relatively safe from challenge, OCR's enforcement activities related to the risk analysis requirement are not.

In most OCR investigations involving any security incident, no matter how large or small, OCR requests the covered entity's most-recent risk analysis, and often all risk analyses for the past six years. In some instances, OCR telegraphs that the risk analysis is insufficient, either by continuing to request a "compliant" risk analysis, requesting an updated risk analysis or offering technical assistance by linking to its guidance pieces. OCR does not specify what was lacking in the risk analyses previously produced or the reasons for their insufficiency or noncompliance. Generally speaking, the only time a covered entity will receive specific feedback from OCR on a risk analysis is when it agrees to a resolution agreement and enters into a corrective action plan with OCR and a payment of a resolution dollar amount.

This type of inconsistent and unpredictable enforcement action is ripe for challenge under Loper Bright, particularly in cases where OCR alleges a categorical violation of the risk analysis requirement without pointing to any specific failures. In some cases, OCR will allege a technical HIPAA violation - for example, failure to execute a business associate agreement with a parent company - along with the more nebulous allegation of failure to comply with the risk analysis requirement, as the technical violation may help OCR avoid judicial review (i.e., if the regulated entity knows it will lose on the technical violation, it may be less likely to challenge the other alleged violation).

In our experience, the administrative law judges who grade the OCR's work have historically sided with OCR as almost a rubber stamp. But now, without the need to contend with Chevron deference, we expect regulated entities will be more apt to seek judicial review of OCR enforcement action related to risk analyses.

OCR's interpretation of the four-factor risk assessment is another area in which OCR will likely face increased Loper Bright challenges. Under the HIPAA Breach Notification Rule, an acquisition, access, use or disclosure of protected health information (PHI) is presumed to be a breach unless the regulated entity demonstrates that there is a low probability that the PHI has been compromised based on the four-factor risk assessment. The regulations and the final rule commentary from 2013 are clear and unambiguous. However, OCR has interpreted the assessment in such a way that makes the presumption nearly impossible to overcome. The factors to be considered are clearly stated as:

• The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
• The unauthorized person who used the protected health information or to whom the disclosure was made;
• Whether the protected health information was actually acquired or viewed; and
• The extent to which the risk to the protected health information has been mitigated.

45 C.F.R. 164.402(2). HHS' commentary to the final rule provides additional information regarding what a regulated entity is to consider when assessing each of these factors, and other factors where necessary. Regulated entities must then evaluate the overall probability that the PHI has been compromised by considering all the factors in combination.

In the Chevron deference era, OCR was rarely challenged in its interpretation of the four-factor risk assessment. A notable example is a 2019 resolution agreement OCR reached with a large health system. The underlying incident occurred when the health system mailed 577 patient bills, which included only patient names, account numbers and dates of service, to the wrong addresses due to a mail-merge issue. The covered entity risk-assessed all but eight patients whose diagnosis or other medical information was included in the mailings. A reasonable conclusion of the four-factor risk assessment, and specifically the first factor of the nature and extent of PHI, would be to risk-assess out the remaining 569 patients where there was no clinical information - that is, the only "health information" was that the person was a patient at one of the hospitals in the system and the name and amount owed on the bill. OCR disagreed with the risk assessment and directed the health system to consider the incident to be a breach of all 577 individuals' PHI.

We anticipate the four-factor risk assessment, especially when OCR ignores its own reasonable commentary, is more likely to be challenged in a post-Chevron world.

In 2019, OCR created the Right of Access Initiative, promising to prioritize patients' rights to receive timely copies of their medical records without being overcharged. In the five years since, OCR has not wavered in that promise, entering into 45 resolution agreements with covered entities related to right of access violations. Subject to limited exceptions, the HIPAA Privacy Rule requires that covered entities give individuals and their designated representatives the right to inspect and/or obtain a copy of their medical record upon request as well as the right to transmit the requested information to a third party, such as an attorney or caretaker. The Privacy Rule specifies the scope, form, timeliness requirements, permitted fees and right to deny access, in whole or in part.

Because the statute is more descriptive in this area, post-Chevron challenges are less likely for OCR right of access enforcement activities. However, we expect OCR will be more cautious in issuing guidance materials related to right of access that go beyond regulatory HIPAA requirements. OCR has already been challenged - and lost - on guidance regarding fees that could be charged for third-party directives (i.e., where a patient directs that a copy of their records be sent to a third party). Now, without any deference, we expect any new guidance that stretches statutory definitions would be quickly challenged - and perhaps even long-standing guidance is vulnerable.

More Challenges, More Problems?

Shortly after Loper Bright,the Supreme Court further opened opportunities to challenge agency rules, no matter how old. On July 1, the Supreme Court issued its decision in Corner Post, Inc. v. Board of Governors of the Federal Reserve System(Corner Post), holding that an APA claim does not accrue for purposes of the six-year statute of limitations until the plaintiff is injured by final agency action. As a practical matter, this means that parties may bring preenforcement challenges to long-standing agency rules,within six years from the time they are injured. So, while a longtime industry participant would be out of luck to challenge existing agency rules, a new entrant to the industry could most likely bring suit and obtain a decision that affords relief to the entire industry.

But with increased challenges come increased - and potentially differing - interpretations. A main criticism of Loper Bright is that it will lead to varying court interpretations across the country, causing more confusion. Healthcare entities that operate nationally, or across several jurisdictions, may be left grappling with differing opinions as to what the law means, making compliance even more complicated.

The Loper Bright Future

We expect more healthcare entities will challenge the OCR in certain areas. The OCR may take a more cautious approach in its enforcement actions against HIPAA-regulated entities or, as we have seen over the years, may think it's invincible. Regardless of the position the agency takes, we anticipate more HIPAA issues to make their way through the courts for interpretation, which could create additional uncertainty and confusion for HIPAA-regulated entities, depending on their jurisdiction and different court interpretations.

Public link

Please use the above public link if you want to share this noodl on another website.