The 5th U.S. Circuit Court of Appeals has weakened The Office of Civil Rights’ (OCR) ability to enforce HIPAA regulations and financial penalties.
The University of Texas M.D. Anderson v. U.S. Department of Health and Human Services case ruling says that covered entities are not required to have “bulletproof” protections for safeguarding electronic protected health information (ePHI). But when it comes to email, encryption is still the preferred method to secure patient data.
What was the alleged HIPAA violation?
The University of Texas MD Anderson Cancer Center in Houston had three data breaches between 2011-2012. An unencrypted laptop was stolen from an employee’s house and two other employees lost two unencrypted universal serial bus (USB) thumb drives. All three devices contained ePHI.
The OCR subsequently fined MD Anderson for failing to keep ePHI protected. MD Anderson was ordered to pay $4,349,000 for violating HIPAA rules.
SEE MORE: What is a HIPAA Violation?
How did MD Anderson respond?
MD Anderson appealed the decision to the 5th U.S. Circuit Court of Appeals. The healthcare provider claimed that HIPAA regulations don’t require encryption, and that it had used other mechanisms to protect ePHI.
The specific HIPAA security regulation that was questioned was the technical safeguard requirement for covered entities to implement a “mechanism” to encrypt and decrypt ePHI.
In this case, MD Anderson’s “mechanism” was to require employees to encrypt mobile devices, and it gave them the tools to do so.
The 5th Circuit ruled that MD Anderson had indeed maintained a mechanism to protect ePHI, and the HIPAA Security Rule doesn’t mention needing a “bulletproof” mechanism, nor is there any mention of enforcing the mechanism rigorously.
SEE MORE: The Complete Guide to HIPAA Violations
The court also ruled that MD Anderson didn’t have to pay the $4.3 million fine because it was arbitrary and capricious compared to similar data breaches with no fine administered.
What does the 5th Circuit ruling mean for HIPAA regulations?
The 5th Circuit also made two additional points concerning HIPAA enforcement. These points clarified what OCR needs to prove happened regarding a HIPAA violation and what is considered “disclosure.”
These two points are:
- The OCR failed to prove that unauthorized users received the stolen ePHI.
- Loss of ePHI via theft or loss of mobile devices doesn’t fall under the category of “disclosure.” A disclosure can only occur when there is an affirmative act of disclosure by the covered entity and the disclosure happened to someone outside of the covered entity.
What do healthcare providers need to know about HIPAA safeguards?
The OCR will surely be reviewing its regulations and create new rules to cover the enforcement deficiencies identified by the M.D. Anderson case.
While you are not currently legally obligated to encrypt your data, it’s essential for healthcare providers to understand the importance of technical safeguards. It’s a good practice to routinely review your HIPAA compliance plans and stay current with HIPAA regulations.
It’s important to note that this case only relieved MD Anderson’s financial penalties. The healthcare provider still faces government investigation and litigation for the data breaches.
Final word: Be on the safe side of HIPAA rules
Patients expect their information to be kept confidential and safe from unauthorized users. Encrypting your data will strengthen your relationship with your patients and keep them at ease.
One of the most common forms of data breaches occurs when employees are sent phishing emails, spam, viruses, or malware via email. Paubox Email Suite Plus blocks potentially harmful emails from reaching your employee’s inboxes with robust inbound security tools. It also includes our patented ExecProtect feature, which blocks display name spoofing emails.
With Paubox, you can rest assured that you are sending HIPAA compliant email. Every message is sent with blanket TLS email encryption, and our solutions easily integrate with your current email provider, like Google Workspace or Microsoft 365. This means you can safely send email straight to your patients’ inbox – no need for client portals or third-party apps.