Friday, June 2, 2023

5th Circuit vacates $4.3M HHS enforcement penalty for HIPAA violations


Remaining month, the USA Court docket of Appeals for the 5th Circuit issued a ruling vacating a $4.3 million buck civil financial penalty (CMP) in opposition to the College of Texas MD Anderson Most cancers Middle (Anderson) by way of the USA Division for Well being and Human Services and products (HHS) for alleged violations of the HIPAA Privateness and Safety Regulations. The case originated from 3 separate voluntary breach experiences made by way of Anderson to HHS in 2012 and 2013, involving one stolen unencrypted pc and two misplaced unencrypted USB drives, which contained amongst them the digital secure well being data (ePHI) of over 34,000 folks.

The Court docket introduced a scathing evaluation of HHS’s enforcement motion, explaining that HHS’s positive in opposition to Anderson was once “arbitrary, capricious, and differently illegal… for a minimum of 4 unbiased causes.”

First, the Court docket criticized HHS’s interpretation of the Safety Rule’s requirement that every one lined entities “put into effect a mechanism to encrypt and decrypt [ePHI].” The Court docket discovered that the rule of thumb does simplest because it it seems that states – calls for the lined to put into effect “a mechanism” for encryption – and concluded that Anderson did simply that. In doing so, the Court docket rejected HHS’s arguments that Anderson’s failure to in fact encrypt the 3 units concerned within the breaches was once a contravention of this encryption requirement, pointing out the legislation “does now not require a lined entity to warrant its mechanism supplies bulletproof coverage of all techniques containing ePHI.”

2d, the Court docket disagreed with HHS’s interpretation of the rules prohibiting a lined entity from disclosing ePHI apart from as authorised by way of the HIPAA Privateness Rule. The place HHS argued that “disclosure” below the HIPAA Regulations happens when there’s a “lack of keep an eye on” of units containing ePHI, the Court docket concluded that the ePHI should affirmatively be transferred to a person out of doors the lined entity. The Court docket went directly to reject HHS’s argument that this sort of usual can be too tough for the company to satisfy.

3rd, the Court docket famous that HHS “arbitrarily and capriciously” enforced the CMP laws over Anderson whilst different lined entities face 0 monetary consequences, explaining that “a bedrock fundamental of administrative legislation is to regard like instances alike.”

In the end, the Court docket took factor with and vacated the $4.3 million penalty quantity that HHS imposed on Anderson as exceeding the penalty caps set by way of Congress within the HIPAA statutes. The Court docket seen that the HIPAA violations at factor have been discovered to be as a consequence of “affordable motive” and now not “willful forget” and that the statutory cap for such violations was once $100,000 for all violations of the similar requirement. The Court docket additionally seen that on this case HHS itself conceded that it simplest had authority to factor a positive as much as $450,000 in keeping with the statutory penalty limits.

Whilst lined entities will have to consider of the steering introduced by way of the ruling, the level of the affect of the ruling, in particular on how HHS will put in force equivalent incidents someday, is still observed.

Jennifer Pike and Milada Goturi are participants of Thompson Coburn’s Well being Care crew.


Please enter your comment!
Please enter your name here

Related Stories