May 23, 2022

Volume XII, Number 143


May 20, 2022

Subscribe to Latest Legal News and Analysis

How To Avoid Paying $2,000 A Day To Encrypt ePHI

Let’s hope you don’t pay that much to encrypt electronic Protected Health Information (ePHI). How about a total of $4.3 million over two years? Well, that’s the total penalty for encryption violations assessed by Health and Human Services (HHS). An Administrative Law Judge found the penalty could have been much worse. The facts are sobering. The message is clear.

Two Failures

In this case, a cancer center in Texas failed to encrypt ePHI for nearly two years between 2011 and 2013. In 2012, an unencrypted laptop without password protection was stolen that contained the ePHI of almost 30,000 individuals. The ePHI included names, social security numbers, and treatment or research information. In 2012, an unencrypted USB drive was lost that contained the same kind of ePHI of more than 2,200 individuals. In 2013, an unencrypted USB was lost that was believed to contain similar ePHI of approximately 3,600 individuals.

HHS imposed penalties, and the center appealed to an administrative law judge.

The judge found two violations of the requirement to protect ePHI created by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The center failed to limit access of ePHI to authorized individuals in violation of 45 C.F.R. § 164.312(a). Through theft and loss, the center also disclosed ePHI in violation of 45 C.F.R. § 164.502(a).

The Sobering Facts

In 2006, the center’s security operations manual required that laptops be encrypted or protected with access controls. The manual also required that data on transportable media be encrypted. This policy was reiterated in subsequent documents. In 2008, the decision was made to begin encrypting laptops. In 2009, the process was halted due to financial constraints even though none of thousands of laptops had been encrypted. In 2010, the director of information security proposed restarting the encryption program following theft of a laptop and loss of records. However, no encryption had begun by August 2011. Encryption did begin slowly in May 2012. In June 2013, the compliance officer identified failure to encrypt ePHI as a high risk area. By November 2013, 4,400 computers remained unencrypted. As of January 2014, there still were 2,600 unencrypted computers.

The Judge Rejects Technical Arguments

Technical arguments presented by the center failed to sway the judge. It was a “red herring” for the center to argue that the regulations do not mandate encryption but rather allow flexibility in establishing security. The judge acknowledged encryption is not required, but he found that the center did not attempt to address security through an alternative mechanism. Once the center selected encryption, the judge said “it was obligated to make it work.”

The judge similarly rejected an interpretation that “disclosure” required proof that the information was actually received by someone who lacked authorization. The judge ruled that HHS intended, and had the authority, to protect ePHI rather than “simply redress the consequences of unlawful disclosure.”

The judge portrayed the center’s argument as “fanciful” that the regulations did not apply to research information.

The judge found the center missed the point in arguing that the regulations should penalize the thief rather than the victim of the theft. The judge focused on the point that the case was about “failure to protect ePHI.” (Emphasis in opinion.)

The judge approved two different types of penalties. The judge considered a penalty of $2,000 per day to be justified for failure to protect ePHI under § 164.312(a). “The daily violations are the ongoing failure by Petitioner to protect patient ePHI from unauthorized disclosure, violations that persisted day after day for years.”   The imposed amount was “a small fraction of the maximum allowable daily amount of $50,000” available under the regulations.

The judge approved an additional penalty for disclosure of ePHI in violation of § 164.502(a). The judge counted a violation of release separately “for each affected individual” rather than just three incidents of release as argued by the center. The judge found it “makes no sense” to treat the release of data of many individuals as if the data pertained to only one person. When the number of releases is counted separately for each individual, this penalty easily reached the statutory maximum of $1.5 million per year for identical violations.

The Message is Clear

 The judge’s decision teaches that implementing is less expensive and more efficient than repairing. HHS announced the judge’s decision upholding a total penalty of $4,348,000 with emphasis. The press release proclaimed “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations.” Entities covered by the regulations should take heed – and take action.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume VIII, Number 178

About this Author

Thomas E. Zeno, Squire Patton Boggs, Healthcare Fraud Lawyer, Economic Crimes Attorney
Of Counsel

Thomas Zeno has more than 25 years of experience in the US Attorney’s Office for the District of Columbia. During that time, Tom investigated and prosecuted economic crimes involving healthcare, financial institutions, credit cards, computers, identity theft and copyrighted materials. As the office’s Healthcare Fraud Coordinator for the last eight years, Tom supervised investigation strategies of agents from the Federal Bureau of Investigation, the Department of Health and Human Services, the Drug Enforcement Administration and the Medicaid Fraud Control Unit regarding...

202 626 6213
Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...