When the Fifth U.S. Circuit Court of Appeals overturned a $4.3 million civil monetary penalty imposed on the University of Texas M.D. Anderson Cancer Center by the U.S. Department of Health and Human Services (HHS), Healthcare Risk Management asked health care data privacy attorney Erin Dunlap to explain how the decision may impact HIPAA covered entities and business associates.

Erin called the decision a “game changer,” particularly in how entities subject to HIPAA will view HIPAA’s encryption rule, evaluate a loss of protected health information (PHI) and engage with HHS in setting investigations.  Erin specifically highlighted the Fifth Circuit’s position that the encryption specification was not a strict liability rule and perfection or ‘bulletproof protection’ is not the standard.  This is helpful for HIPAA covered entities and business associates who are taking reasonable and appropriate steps to comply with the HIPAA requirements but, in reality, cannot control every decision of every workforce member in a given day.

Erin, a nationally recognized expert in health care data privacy and security, also explained how organizations subject to HIPAA can point to the Fifth Circuit’s interpretation of “disclosure” if they experience a loss of PHI.  She also believes a more comparative standard may be applied in OCR investigations and settlement discussions as a result of this decision, which may prompt HIPAA covered entities and business associates to push back on penalty calculations and settlement offers.

With a deep bench in HIPAA, 42 C.F.R Part 2, state privacy laws and the new Information Blocking Rule, Erin regularly advises organizations working in the health care space on a variety of privacy and security-related compliance issues, including breach evaluation and reporting and HHS investigations.

Read the full article here.