July 12, 2020

Volume X, Number 194

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

How To Avoid Paying $2,000 A Day To Encrypt ePHI

Let’s hope you don’t pay that much to encrypt electronic Protected Health Information (ePHI). How about a total of $4.3 million over two years? Well, that’s the total penalty for encryption violations assessed by Health and Human Services (HHS). An Administrative Law Judge found the penalty could have been much worse. The facts are sobering. The message is clear.

Two Failures

In this case, a cancer center in Texas failed to encrypt ePHI for nearly two years between 2011 and 2013. In 2012, an unencrypted laptop without password protection was stolen that contained the ePHI of almost 30,000 individuals. The ePHI included names, social security numbers, and treatment or research information. In 2012, an unencrypted USB drive was lost that contained the same kind of ePHI of more than 2,200 individuals. In 2013, an unencrypted USB was lost that was believed to contain similar ePHI of approximately 3,600 individuals.

HHS imposed penalties, and the center appealed to an administrative law judge.

The judge found two violations of the requirement to protect ePHI created by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The center failed to limit access of ePHI to authorized individuals in violation of 45 C.F.R. § 164.312(a). Through theft and loss, the center also disclosed ePHI in violation of 45 C.F.R. § 164.502(a).

The Sobering Facts

In 2006, the center’s security operations manual required that laptops be encrypted or protected with access controls. The manual also required that data on transportable media be encrypted. This policy was reiterated in subsequent documents. In 2008, the decision was made to begin encrypting laptops. In 2009, the process was halted due to financial constraints even though none of thousands of laptops had been encrypted. In 2010, the director of information security proposed restarting the encryption program following theft of a laptop and loss of records. However, no encryption had begun by August 2011. Encryption did begin slowly in May 2012. In June 2013, the compliance officer identified failure to encrypt ePHI as a high risk area. By November 2013, 4,400 computers remained unencrypted. As of January 2014, there still were 2,600 unencrypted computers.

The Judge Rejects Technical Arguments

Technical arguments presented by the center failed to sway the judge. It was a “red herring” for the center to argue that the regulations do not mandate encryption but rather allow flexibility in establishing security. The judge acknowledged encryption is not required, but he found that the center did not attempt to address security through an alternative mechanism. Once the center selected encryption, the judge said “it was obligated to make it work.”

The judge similarly rejected an interpretation that “disclosure” required proof that the information was actually received by someone who lacked authorization. The judge ruled that HHS intended, and had the authority, to protect ePHI rather than “simply redress the consequences of unlawful disclosure.”

The judge portrayed the center’s argument as “fanciful” that the regulations did not apply to research information.

The judge found the center missed the point in arguing that the regulations should penalize the thief rather than the victim of the theft. The judge focused on the point that the case was about “failure to protect ePHI.” (Emphasis in opinion.)

The judge approved two different types of penalties. The judge considered a penalty of $2,000 per day to be justified for failure to protect ePHI under § 164.312(a). “The daily violations are the ongoing failure by Petitioner to protect patient ePHI from unauthorized disclosure, violations that persisted day after day for years.”   The imposed amount was “a small fraction of the maximum allowable daily amount of $50,000” available under the regulations.

The judge approved an additional penalty for disclosure of ePHI in violation of § 164.502(a). The judge counted a violation of release separately “for each affected individual” rather than just three incidents of release as argued by the center. The judge found it “makes no sense” to treat the release of data of many individuals as if the data pertained to only one person. When the number of releases is counted separately for each individual, this penalty easily reached the statutory maximum of $1.5 million per year for identical violations.

The Message is Clear

 The judge’s decision teaches that implementing is less expensive and more efficient than repairing. HHS announced the judge’s decision upholding a total penalty of $4,348,000 with emphasis. The press release proclaimed “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations.” Entities covered by the regulations should take heed – and take action.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume VIII, Number 178


About this Author

Thomas E. Zeno, Squire Patton Boggs, Healthcare Fraud Lawyer, Economic Crimes Attorney
Of Counsel

Thomas Zeno has more than 25 years of experience in the US Attorney’s Office for the District of Columbia. During that time, Tom investigated and prosecuted economic crimes involving healthcare, financial institutions, credit cards, computers, identity theft and copyrighted materials. As the office’s Healthcare Fraud Coordinator for the last eight years, Tom supervised investigation strategies of agents from the Federal Bureau of Investigation, the Department of Health and Human Services, the Drug Enforcement Administration and the Medicaid Fraud Control Unit regarding...

202 626 6213
Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding is a member of Squire Patton Boggs' Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. He not only counsels clients about what the law currently requires, but also provides industry context and forward-looking advice that takes into account trends and best practices in developing areas, such as the Internet of Things. In particular, Elliot helps clients understand how personal information may be used and disclosed to support business needs so that companies can stay competitive and compliant in a rapidly evolving environment.

Elliot has also managed dozens of breach response matters for companies through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and State Attorneys General). Elliot has defended clients in litigation by State Attorneys General under state security breach notification laws and the Health Insurance Portability and Accountability Act (HIPAA) and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations.

Elliot's practice covers a wide range of laws, regulations, industry standards and best practices, such as HIPAA and HITECH; 42 CFR Part 2 (Federal Confidentiality of Alcohol and Drug Abuse Patient Records); Federal Trade Commission (FTC) Act and FTC guidance; state laws and guidance governing privacy, security and breach notification (such as the California Shine the Light law, Lanterman-Petris-Short Act, Confidentiality of Medical Information Act, CalOPPA, and state laws governing sensitive health information); Telephone Consumer Protection Act (TCPA); CAN-SPAM; Gramm-Leach-Bliley Act (GLBA); Children's Online Privacy Protection Act (COPPA); NIST Security Standards; and Payment Card Industry Data Security Standards (PCI-DSS).

Elliot is co-chair of the ABA E-Privacy Law Committee, vice-chair of the ABA Healthcare Technology Committee, vice-chair of the Privacy, Security and Emerging Technology Division for the ABA Section of Science & Technology Law, a member of the Bloomberg BNA Health Care Innovations Board, and a frequent speaker and writer of thought leadership pieces. He is also a Certified Information Privacy Professional (CIPP/US).