Posted In: Business Transactions & Corporate Counseling, Cybersecurity & Data Privacy, Cybersecurity & Data Privacy & Health Care
Technology, Health Care & Nurse Practitioners
Compliance Checkup & Corporate TIPS: Fifth Circuit Shines a Light on HIPAA "Encryption" and "Disclosure" Rules in M.D. Anderson Decision
By Laura F. Fryan on May 11, 2021
Earlier this year, the Fifth Circuit Court of Appeals handed down a decision vacating a $4.3 million penalty imposed on University of Texas’s MD Anderson Cancer Center by the U.S. Department of Human Services (HHS) for self-reported HIPAA violations, including violations of the Encryption and Disclosure Rules.
MD Anderson’s violations stemmed from the discovery of stolen, unencrypted devices—a laptop computer, which was later stolen from a physician’s home and two unencrypted USB devices, one of which was lost on a MD Anderson intra-campus bus.
HHS contended that the use of unencrypted technology was a per se violation of HIPAA’s requirement that data stored on electronic devices that travel to and from hospital premises “must be encrypted or protected with access controls.” HHS also alleged that the loss of the laptop and the USB drive constituted unlawful disclosures of electronic Protected Health Information (ePHI).
How the court changed our understanding of encryption and disclosure:
After HHS levied hefty fines, MD Anderson appealed. The Fifth Circuit disagreed with HHS on both matters.
First, regarding encryption, HIPAA requires that a HIPAA-covered entity implement an encryption mechanism to protect ePHI, and it was undisputed that MD Anderson had, in fact, implemented an encryption mechanism through its policies, procedures, technology, and employee training. HHS argued that MD Anderson should have done more, and that the laptop and USB drive were themselves unencrypted, but the court noted that those failures did not mean that MD Anderson did not implement “a mechanism” to encrypt ePHI. Rather, “[i]t only [meant] that three employees failed to abide by the encryption mechanism, or that MD Anderson did not enforce that mechanism rigorously enough. And nothing in HHS’s regulation says that a covered entity’s failure to encrypt three devices means that it never implemented “a mechanism” to encrypt anything at all.
As for the disclosure rule, the court refused to adopt a meaning of “disclosure” that included the passive loss of ePHI. Instead, the Fifth Circuit found that an affirmative act of disclosure is required to constitute a violation. Moreover, there was no evidence that anyone received the lost ePHI (in particular, anyone outside of MD Anderson).
The impact of this decision:
This decision is a huge win for providers! The court’s interpretation of encryption and disclosure was practical and helpful, with these specific takeaways:
- Make sure you have encryption policies, procedures, technology, and training in place. Be able to demonstrate that, even if a breach happens, your practice or facility had mechanisms for encryption.
- Enforce your HIPAA policies and procedures and be able to demonstrate that, at the very least, your practice or facility has implemented all required safeguards.
If you have any questions about your encryption policies and procedures, contact your attorney at Brouse McDowell, and we will be happy to help ensure you have the appropriate mechanisms in place.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.