Last month we had an incredibly insightful Fast Break analyzing a significant HIPAA enforcement victory for The University of Texas MD Anderson Cancer Center (MD Anderson) in the US Court of Appeals for the Fifth Circuit. If you missed our live program with Morgan Lewis partner Scott McBride and MD Anderson Deputy Chief Compliance Officer Krista Barnes, you can still view the presentation, or check out the highlights below.
Scott and Krista first provided an overview of the case, which involved a laptop stolen from a researcher’s home in 2012 and two USB drives lost in 2013. MD Anderson voluntarily reported these incidents to Department of Health and Human Services (HHS) Office for Civil Rights (OCR), although there was no indication that any unauthorized access occurred and no evidence of financial or reputational harm to any individuals. Nevertheless, treating the lack of encryption on these stolen/lost devices as an unauthorized disclosure, OCR alleged that MD Anderson improperly disclosed electronic protected health information (ePHI) lost devices and ultimately levied a $4.3 million civil money penalty (CMP).
Ultimately, although other major healthcare providers that had received these types of fines were settling with OCR, MD Anderson decided to test its defense in the administrative appeals process. With several levels of unfavorable administrative review and a federal district court decision upholding OCR’s determination, MD Anderson pursued an appeal at the Fifth Circuit. The Fifth Circuit determined that OCR’s imposition of a fine—of any amount—under the facts of the case was contrary to a reasonable reading of its own regulations as well as the underlying statute.
Scott and Krista analyzed the four independent reasons that ultimately led to the Fifth Circuit’s decision to vacate the CMP, which included issues of regulatory encryption requirements, HHS’s definition of “disclosure,” HHS’s decision to impose a CMP against some covered entities and not others, and the high penalty amount sought by HHS. For a detailed summary on the Fifth Circuit’s decision, see our LawFlash, Fifth Circuit Vacates Civil Money Penalty, Finds MD Anderson in Compliance with HIPAA.
Scott and Krista wrapped up the presentation with an eye to the future. While healthcare providers may take some comfort in the decision’s conclusion that the regulations do not create strict liability or require a “bulletproof” mechanism for PHI protection, they should continue to be vigilant in maintaining patient privacy and security. It is important to remember too that the events at issue occurred in 2012–2013 and that standards for PHI protection have changed and even today are continuing to evolve. For instance, OCR is in the process of revising HIPAA regulations, so it is possible that the regulatory gaps the Fifth Circuit identified in this case may be filled with future rulemaking.
Later this month, we will chat with Daniel Kadish, a Morgan Lewis labor and employment associate and member of our COVID-19 compliance and counseling team, to discuss issues for healthcare employers in navigating return-to-work issues. Join us on April 27 at 3:00 pm ET.
Don't forget you can view any of our previous webinars on our Fast Break series page >>