Skip to Main Content

Insights

Thought Leadership

March 25, 2021

Fifth Circuit Weighs In on HIPAA Penalties Due to Data Breaches

Share to LinkedIn PDF Download (opens in a new tab)

In a recent ruling, the Fifth Circuit found that although the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires a covered entity to implement an encryption mechanism or to adopt an alternative and equivalent method to protect electronic protected health information (ePHI), it does not address the effectiveness of an encryption mechanism.

By way of background, between 2012 and 2013, MD Anderson Cancer Center (the Center) suffered three data breaches, resulting from a lost unencrypted laptop containing ePHI of individuals and two lost unencrypted USB thumb drives containing ePHI. On February 8, 2019, the HHS Departmental Appeals Board affirmed an administrative law judge's decision sustaining HHS's civil monetary penalties for the following violations: (1) failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and (2) unauthorized disclosure of protected health information in violation of HIPAA and the Health Information Technology for Economic and Clinical Health Act. As a result, HHS imposed more than $4.3 million in civil penalties.

According to the Fifth Circuit, HHS's ruling on the Center's encryption measures was made in error. Even though the laptop and USB thumb drives were not encrypted, the Center nevertheless met the Security Rule's encryption requirement, since the Center had an encryption mechanism in place. Further, the Fifth Circuit determined that HHS failed to prove that the Center disclosed ePHI to someone outside the covered entity. Therefore, HHS failed to demonstrate that the Center met HIPAA's definition of disclosure, which requires an affirmative act to disclose information.

In addition, the Fifth Circuit found that the penalty imposed by HHS was arbitrary and capricious, since it enforced the civil monetary penalty rules against some entities and not others. Further, the Fifth Circuit was concerned that HHS had misinterpreted the per-year cap at $1.5 million, when the per-year cap was $100,000 (See 42 U.S.C. § 1320d-5(a)(3)(B)).



Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.

Related Practices and Industries

Authors

Alex P. Garens
Partner
Boston, MA
| (617) 345-4872
agarens@daypitney.com
Alexandra MacKenzie Pearsall
Senior Associate
Parsippany, NJ
| (973) 966-8154
apearsall@daypitney.com
Erin Magennis Healy
Partner
Parsippany, NJ
| (973) 966-8041
ehealy@daypitney.com
Helen Harris
Partner
Stamford, CT
| (203) 977-7418
hharris@daypitney.com
Kritika Bharadwaj
Partner
New York, NY
| (212) 297-2477
kbharadwaj@daypitney.com
Richard D. Harris
Partner
Hartford, CT
| (860) 275-0294
New Haven, CT
| (203) 752-5094
rdharris@daypitney.com
Stanley A. Twardy, Jr.
Of Counsel
Stamford, CT
| (203) 977-7368
satwardy@daypitney.com
Susan R. Huntington
Partner
Hartford, CT
| (860) 275-0168
Washington, D.C.
| (202) 218-3909
shuntington@daypitney.com
Thomas A. Zalewski
Partner
Parsippany, NJ
| (973) 966-8115
tzalewski@daypitney.com

Explore Day Pitney's latest media mentions and speaking appearances.

View All In The Media

Press Contact

Elyse Blazey Gentile
Director of Communications
973.966.8092
|
egentile@daypitney.com

EMAIL DISCLAIMER

Thank you for your interest in contacting us by email.

Your e-mail to this individual should not contain any confidential information and should be for general information purposes only. An attorney-client relationship will not be created by your e-mail to this individual. Information in your e-mail may not be entitled to any protections commonly associated with communications with attorneys. If you are in doubt about any information, please exclude it.

If you accept the terms of this notice and would like to send an email, click on the "I Agree" button below. Otherwise, please click "I Don't Agree".

I Agree I Don't Agree