Saturday, May 14, 2022
HomeHealth LawFifth Circuit vacates $4.3M HHS enforcement penalty for HIPAA violations

Fifth Circuit vacates $4.3M HHS enforcement penalty for HIPAA violations

Final month, the US Court docket of Appeals for the Fifth Circuit issued a ruling vacating a $4.3 million greenback civil financial penalty (CMP) in opposition to the College of Texas MD Anderson Most cancers Middle (Anderson) by the US Division for Well being and Human Companies (HHS) for alleged violations of the HIPAA Privateness and Safety Guidelines. The case originated from three separate voluntary breach stories made by Anderson to HHS in 2012 and 2013, involving one stolen unencrypted laptop computer and two misplaced unencrypted USB drives, which contained amongst them the digital protected well being data (ePHI) of over 34,000 people.

The Court docket supplied a scathing evaluation of HHS’s enforcement motion, explaining that HHS’s wonderful in opposition to Anderson was “arbitrary, capricious, and in any other case illegal… for at the least 4 unbiased causes.”

First, the Court docket criticized HHS’s interpretation of the Safety Rule’s requirement that every one coated entities “implement a mechanism to encrypt and decrypt [ePHI].” The Court docket discovered that the rule does solely because it plainly states – requires the coated to implement “a mechanism” for encryption – and concluded that Anderson did simply that. In doing so, the Court docket rejected HHS’s arguments that Anderson’s failure to truly encrypt the three units concerned within the breaches was a violation of this encryption requirement, stating the regulation “doesn’t require a coated entity to warrant its mechanism offers bulletproof safety of all programs containing ePHI.”

Second, the Court docket disagreed with HHS’s interpretation of the laws prohibiting a coated entity from disclosing ePHI besides as permitted by the HIPAA Privateness Rule. The place HHS argued that “disclosure” beneath the HIPAA Guidelines happens when there’s a “lack of management” of units containing ePHI, the Court docket concluded that the ePHI should affirmatively be transferred to a person exterior the coated entity. The Court docket went on to reject HHS’s argument that such a normal can be too tough for the company to fulfill.

Third, the Court docket famous that HHS “arbitrarily and capriciously” enforced the CMP guidelines over Anderson whereas different coated entities face zero monetary penalties, explaining that “a bedrock principal of administrative legislation is to deal with like instances alike.”

Lastly, the Court docket took difficulty with and vacated the $4.3 million penalty quantity that HHS imposed on Anderson as exceeding the penalty caps set by Congress within the HIPAA statutes. The Court docket noticed that the HIPAA violations at difficulty had been discovered to be attributable to “affordable trigger” and never “willful neglect” and that the statutory cap for such violations was $100,000 for all violations of the an identical requirement. The Court docket additionally noticed that on this case HHS itself conceded that it solely had authority to difficulty a wonderful as much as $450,000 primarily based on the statutory penalty limits.

Whereas coated entities ought to be aware of the steerage supplied by the ruling, the extent of the influence of the ruling, significantly on how HHS will implement comparable incidents sooner or later, stays to be seen.

Jennifer Pike and Milada Goturi are members of Thompson Coburn’s Well being Care group.



Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments