Here is some more commentary on the Fifth Circuit opinion in MD Anderson v. HHS. of SheppardMullin write, in part:
On the ruling regarding the disclosure of ePHI, the Fifth Circuit held that HHS had failed to establish that MD Anderson disclosed ePHI to someone outside of the covered entity. The court clarified that under HIPAA’s definition of disclosure, a disclosure required an affirmative act to disclose information and that HHS must prove that the information was actually disclosed to someone outside of the covered entity.
Read more on Eye on Privacy. This aspect of the opinion does not seem to have generated as much discussion as other aspects of the opinion, and yet I think it is hugely significant in potential. What does this say about data leaks due to misconfigured servers? An error would not appear to be an “affirmative” act to disclose information. From the opinion:
That interpretation departs from the regulation HHS wrote in at least three ways. First, each verb HHS uses to define “disclosure”—release, transfer, provide, and divulge—suggests an affirmative act of disclosure, not a passive loss of information. One does not ordinarily “transfer” or “provide” something as a sideline observer but as an active participant. The ALJ recognized as much when he defined “release” as “the act of setting something free.” But then he made the arbitrary jump to the conclusion that “any loss of ePHI is a ‘release,’” even if the covered entity did not act to set free anything. It defies reason to say an entity affirmatively acts to disclose information when someone steals it. That is not how HHS defined “disclosure” in the regulation. So HHS may not define it that way in an
adjudication.
That seems to indicate that even if data is definitely viewed and even copied by unauthorized individuals, it would not be a disclosure or breach under HIPAA. Somehow that doesn’t sound right to me, but maybe smarter heads than mine understand and can explain this.