5th Circ. Creates Roadblocks For New HHS Privacy Enforcers
HIPAA and Healthcare Privacy Partner Shannon Hartsfield was interviewed for a Law360 article about a recent decision by the U.S. Court of Appeals for the Fifth Circuit that affects how the Health Insurance Portability and Accountability Act (HIPAA) is enforced by the U.S. Department of Health and Human Services (HHS). The case arose after a cancer center was fined approximately $4.3 million by HHS after it disclosed the theft of an unencrypted laptop and losses of two unencrypted USB drives that contained the electronic personal health information (ePHI) of more than 33,000 people. The Fifth Circuit struck down that fine, finding it "arbitrary, capricious, and contrary to law," and the ruling raises questions about how HHS will enforce HIPAA in the future. Ms. Hartsfield commented that the court's decision strengthens arguments against punishing entities like the cancer center that experience and disclose a loss of protected health information despite having robust encryption mechanisms or compliance programs in place.
"[The opinion] does support the idea that entities that invest in HIPAA compliance programs should not be penalized just because something goes wrong and, as a result, they properly report a data breach," Ms. Hartsfield said. "...[It also] suggests that there is a fairly high bar that the government would need to meet to prove that data went outside the entity, and someone stealing data does not mean that the entity affirmatively acted to disclose the PHI."