In a recent ruling, the Fifth Circuit found that although the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires a covered entity to implement an encryption mechanism or to adopt an alternative and equivalent method to protect electronic protected health information (ePHI), it does not address the effectiveness of an encryption mechanism.
By way of background, between 2012 and 2013, MD Anderson Cancer Center (the Center) suffered three data breaches, resulting from a lost unencrypted laptop containing ePHI of individuals and two lost unencrypted USB thumb drives containing ePHI. On February 8, 2019, the HHS Departmental Appeals Board affirmed an administrative law judge's decision sustaining HHS's civil monetary penalties for the following violations: (1) failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and (2) unauthorized disclosure of protected health information in violation of HIPAA and the Health Information Technology for Economic and Clinical Health Act. As a result, HHS imposed more than $4.3 million in civil penalties.
According to the Fifth Circuit, HHS's ruling on the Center's encryption measures was made in error. Even though the laptop and USB thumb drives were not encrypted, the Center nevertheless met the Security Rule's encryption requirement, since the Center had an encryption mechanism in place. Further, the Fifth Circuit determined that HHS failed to prove that the Center disclosed ePHI to someone outside the covered entity. Therefore, HHS failed to demonstrate that the Center met HIPAA's definition of disclosure, which requires an affirmative act to disclose information.
In addition, the Fifth Circuit found that the penalty imposed by HHS was arbitrary and capricious, since it enforced the civil monetary penalty rules against some entities and not others. Further, the Fifth Circuit was concerned that HHS had misinterpreted the per-year cap at $1.5 million, when the per-year cap was $100,000 (See 42 U.S.C. § 1320d-5(a)(3)(B)).
Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.