CPW has previously covered the proliferation of data breaches, including in the healthcare context. In a dramatic rebuttal of how the Department of Health and Human Services Office of Civil Rights’ (“OCR”) has historically enforced HIPAA, the Fifth Circuit Court of Appeals recently handed down a landmark decision vacating a multi-million dollar penalty that had been assessed against a healthcare provider. The case concerned three alleged data breaches and violations of various HIPAA requirements involving the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”). Following an OCR enforcement action, OCR imposed a US$4,348,000 penalty, which M.D. Anderson appealed up to the Fifth Circuit. In rejecting the penalty, the Court criticized not only OCR’s interpretation of the HIPAA regulations generally but also OCR’s penalty calculation in this case.
(1) The HIPAA Security Rule Encryption Requirement. The Court first interpreted the HIPAA Security Rule requirement to encrypt ePHI. OCR claimed that MD Anderson violated this requirement because it adopted a policy to encrypt portable media, which was not implemented on the devices at issue. The Court, however, ruled that HIPAA only requires Covered Entities to implement a “mechanism” to encrypt data. Here, the Court found that M.D. Anderson had adopted a “mechanism” to encrypt (through its policy requiring such encryption) even if that “mechanism” was not perfectly implemented. In other words, the failure to fully implement the encryption policy did not itself violate the HIPAA encryption requirement.
(2) The HIPAA Privacy Rule Prohibition on Unauthorized Disclosures. The Court next held that the Privacy Rule prohibition on unauthorized “disclosures” is only violated when there is an affirmative act of disclosure, rather than a general loss of data. According to the Court, the mere “loss of control” of PHI (e.g., when a device is stolen), therefore, does not constitute an unauthorized “disclosure.” This position mirrors how California courts have interpreted similar provisions in the analogous state Confidentiality of Medical Information Act (“CMIA”). See, e.g., Sutter Health v. Superior Court, 174 Cal. Rptr. 3d 653 (Cal. 3d Dist. Ct. App. July 21, 2014).
CPW’s Elliot Golding, Kristin Bryan and Christina Lamoureux have prepared an overview of this must-read case and its implications here.