In a recent ruling, the Fifth Circuit found that although the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires a covered entity to implement an encryption mechanism or to adopt an alternative and equivalent method to protect electronic protected health information (ePHI), it does not address the effectiveness of an encryption mechanism.
By way of background, between 2012 and 2013, MD Anderson Cancer Center (the Center) suffered three data breaches, resulting from a lost unencrypted laptop containing ePHI of individuals and two lost unencrypted USB thumb drives containing ePHI. On February 8, 2019, the HHS Departmental Appeals Board affirmed an administrative law judge's decision sustaining HHS's civil monetary penalties for the following violations: (1) failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and (2) unauthorized disclosure of protected health information in violation of HIPAA and the Health Information Technology for Economic and Clinical Health Act. As a result, HHS imposed more than $4.3 million in civil penalties.
According to the Fifth Circuit, HHS's ruling on the Center's encryption measures was made in error. Even though the laptop and USB thumb drives were not encrypted, the Center nevertheless met the Security Rule's encryption requirement, since the Center had an encryption mechanism in place. Further, the Fifth Circuit determined that HHS failed to prove that the Center disclosed ePHI to someone outside the covered entity. Therefore, HHS failed to demonstrate that the Center met HIPAA's definition of disclosure, which requires an affirmative act to disclose information.
In addition, the Fifth Circuit found that the penalty imposed by HHS was arbitrary and capricious, since it enforced the civil monetary penalty rules against some entities and not others. Further, the Fifth Circuit was concerned that HHS had misinterpreted the per-year cap at $1.5 million, when the per-year cap was $100,000 (See 42 U.S.C. § 1320d-5(a)(3)(B)).
Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – April 2024
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – April 2024
Day Pitney Healthcare Attorneys Susan R. Huntington and Phoebe Roth authored the chapter titled "Using Enterprise Risk Management-Based Frameworks to Advance Population Health" for American Health Law Association (AHLA) and the American Society for Health Care Risk Management's (ASHRM) book titled "Enterprise Risk Management for Health Care."
Day Pitney Healthcare, Life Sciences, and Technology Counsel Damian Privitera's arrival was featured in the Law360 article "Moses & Singer Healthcare Atty Joins Day Pitney in Hartford."
Day Pitney Healthcare Partner Magda Rodriguez authored the article "When Physician Retirement Arrangements May Be Legal" for Law360.
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – February 2024
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – February 2024
Day Pitney Artificial Intelligence Committee Chair Kritika Bharadwaj and Healthcare and Technology Associate Colton Kopcik authored the article "Generative AI in Health Care: Diagnosing the Legal Landscape for Dr. GenAI" for the New York Law Journal's Legal Technology Special Section.
Day Pitney Alert
Copyright © 2024 Day Pitney LLP, all rights reserved.