Court Sends OCR back to the Drawing Board on HIPAA Enforcement
Episode 1421st January 2021 • This Week Health: News • This Week Health
00:00:00 00:06:14

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the most intelligent robots can sometimes get speech recognition wrong.

 Today in Health it the Fifth Circuit, US Court of Appeals out of Louisiana vacated a $4.3 million HIPAA penalty against MD Anderson Cancer Center. We explore what this could possibly mean. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week in Health IT a channel dedicated to keeping health IT staff current and engaged.

Today's sponsor is Sirius Healthcare. We appreciate their continued support of our mission to develop the next generation of health IT leaders. Okay. On to today's story. Uh, you know, it it, it is an interesting ruling. Um, so the, the, as I said in the Title Fifth Circuit, US Court of Appeals outta Louisiana vacated a $4.3 million HIPAA penalty against MD Anderson Cancer Center.

Um. I'm just gonna read from the article. The article is from Data Breach Today. It's an article from what date? January 15th. So here you go. In a ruling that could have profound impact on HIPAA enforcement, a US Court of Appeals has vacated a $4.3 million hipaa. A civil monetary penalty levied by federal regulators against the University of Texas MD Anderson Cancer Center in the wake of three breaches involving unencrypted mobile devices.

The court called the penalty arbitrary, capricious, and contrary to law, uh, among the reasons for vacating the penalty. The court noted that Andy Anderson. At the time of the incident had in place the mechanism to encrypt PHI ON mobile devices, but three employees failed to use the encryption control before the laptop and two USB devices vanished.

The court also criticized how HHS calculated the financial penalty. Let's see, I'm, you know, I'm just gonna go through here 'cause there's a really good section in this article. Where it talks about Blockbuster's decision, here we go. Privacy attorney Kirk Nara of the law firm. Wilmer Hale says the court's decision is a bit of a blockbuster as it goes after ocr R'S general approach to enforcement and severely limits the penalties, uh, penalty ability of the agency among the court findings that could be

Contested by HHS is whether a mere loss of unsecured protected health information is not a disclosure of PHI defined by hipaa. Predicts regulatory attorney Paul Hales of the Hales Law Group. This is an enor. This has enormous implications. For example, loss or theft of an unencrypted laptop containing PHI is considered a reportable breach of unsecured PHI.

He notes in the case HHS conceded that. It could not prove someone outside. MD Anderson received the lost unencrypted device and PHI. They contained that logic would hamstringing all enforcement activity regarding lost in unencrypted laptops. Privacy Attorney Adam Green of the law firm, Davis Wright from Main says the court's decision has.

A number of big impacts. The ruling essentially sets forth that a covered entity or a business associate must implement a mechanism for encryption, but is not responsible for violating the HIPAA security rule if the workforce does not use the mechanism. He says The ruling undermines the entire OCR enforcement approach, indicating that it is arbitrary and capricious for OCR to select a few cases for financial enforcement if the result is that similar fact pattern are enforced differently.

So this is fascinating to me. When I was the CIO, we actually had two breaches while I was there. The first would not fall into this category, but the second, uh, would clearly fall into this category. Um, we had mechanisms in place to secure USB drives to, uh, to encrypt, uh, data at rest, data in motion. We, we had training in place.

We had all those things in place. We acquired an ASC, uh, uh, actually a group of ambulatory surgery centers and a, a. Enterprising person decided I'm gonna back up the, uh, EHR data just in case, you know, we need it in the future. And they put it on the USB drive. Their purse was stolen and, uh, because that purse was stolen, we had to report.

Uh, and then there was fines associated with that and whatnot. Uh, to be honest with you, because we had, uh, you know, we had the, we had the mechanism, we had iron key, we had training, we had all those things. Um, based on this ruling. We should actually go back and fight. And that's sort of my so what for this, you know, if I had a ruling against my health system recently, like say within the last two years, I'd be talking to a lawyer right now, I'd see if there's a chance that we could retry the case or look at the case.

Uh, you know, this really sends OCR back to the drawing board. They have to be consistent in their enforcement and more specifically in their fines. Uh, clearly this doesn't change anything for health systems. We have to protect the data. We have to encrypt, we have to train, we have to protect our patient's data period, uh, or full stop, as people are saying, uh, this is more about what OCR has to do.

Set the foundation for a consistent measure of a breach and its impact. I. That's all for today. If you know of someone who might benefit from our channel, please forward them a note. They can subscribe on our website this week, health.com or wherever you listen to podcasts. Apple, Google Overcast, Spotify, Stitcher.

It's everywhere. We want to thank our channel sponsors who are. Investing in our mission to develop the next generation of health IT leaders, VMware, Hillrom, and Starburst Advisors. Thanks for listening. That's all for now.

Chapters

Video

More from YouTube