Day Pitney remains committed to providing quality legal counsel, while protecting our clients and employees, and transforming our communities into more just, equal and equitable spaces. For more information, please visit our COVID-19 Resource Center | Racial Justice and Equity Task Force.

Insights

Publications Events Blogs

Fifth Circuit Weighs In on HIPAA Penalties Due to Data Breaches

Publisher: Day Pitney Cybersecurity, Health and Technology (C.H.A.T.) Newsletter
March 25, 2021
Day Pitney Author(s) Alexandra MacKenzie Pearsall

In a recent ruling, the Fifth Circuit found that although the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires a covered entity to implement an encryption mechanism or to adopt an alternative and equivalent method to protect electronic protected health information (ePHI), it does not address the effectiveness of an encryption mechanism.

By way of background, between 2012 and 2013, MD Anderson Cancer Center (the Center) suffered three data breaches, resulting from a lost unencrypted laptop containing ePHI of individuals and two lost unencrypted USB thumb drives containing ePHI. On February 8, 2019, the HHS Departmental Appeals Board affirmed an administrative law judge's decision sustaining HHS's civil monetary penalties for the following violations: (1) failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and (2) unauthorized disclosure of protected health information in violation of HIPAA and the Health Information Technology for Economic and Clinical Health Act. As a result, HHS imposed more than $4.3 million in civil penalties.

According to the Fifth Circuit, HHS's ruling on the Center's encryption measures was made in error. Even though the laptop and USB thumb drives were not encrypted, the Center nevertheless met the Security Rule's encryption requirement, since the Center had an encryption mechanism in place. Further, the Fifth Circuit determined that HHS failed to prove that the Center disclosed ePHI to someone outside the covered entity. Therefore, HHS failed to demonstrate that the Center met HIPAA's definition of disclosure, which requires an affirmative act to disclose information.

In addition, the Fifth Circuit found that the penalty imposed by HHS was arbitrary and capricious, since it enforced the civil monetary penalty rules against some entities and not others. Further, the Fifth Circuit was concerned that HHS had misinterpreted the per-year cap at $1.5 million, when the per-year cap was $100,000 (See 42 U.S.C. § 1320d-5(a)(3)(B)).


Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.


Recommended
Related Professionals
Parsippany, NJ
T: (973) 966 8138
Boston, MA
T: (617) 345 4872
Stamford, CT
T: (203) 977 7418
Hartford, CT
New Haven, CT
T: (860) 275 0294
Hartford, CT
T: (860) 275 0168
Stamford, CT
T: (203) 977 7368
Parsippany, NJ
T: (973) 966 8115
New York, NY
T: (212) 297 2477
Parsippany, NJ
T: (973) 966 8041
Washington, DC
T: (202) 218 3904
Hartford, CT
T: (860) 275 0309
Parsippany, NJ
T: (973) 966 8154