DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

What Does the Fifth Circuit’s Vacating of HHS HIPAA Fines Mean for Companies This Year?

Posted on February 9, 2021 by Dissent

Here is some more commentary on the Fifth Circuit opinion in MD Anderson v. HHS.  Elfin Noce, Liisa Thomas & Susan Ingargiola  of SheppardMullin write, in part:

On the ruling regarding the disclosure of ePHI, the Fifth Circuit held that HHS had failed to establish that MD Anderson disclosed ePHI to someone outside of the covered entity. The court clarified that under HIPAA’s definition of disclosure, a disclosure required an affirmative act to disclose information and that HHS must prove that the information was actually disclosed to someone outside of the covered entity.

Read more on Eye on Privacy. This aspect of the opinion does not seem to have generated as much discussion as other aspects of the opinion, and yet I think it is hugely significant in potential.  What does this say about data leaks due to misconfigured servers?  An error would not appear to be an “affirmative” act to disclose information. From the opinion:

That interpretation departs from the regulation HHS wrote in at least three ways. First, each verb HHS uses to define “disclosure”—release, transfer, provide, and divulge—suggests an affirmative act of disclosure, not a passive loss of information. One does not ordinarily “transfer” or “provide” something as a sideline observer but as an active participant. The ALJ recognized as much when he defined “release” as “the act of setting something free.” But then he made the arbitrary jump to the conclusion that “any loss of ePHI is a ‘release,’” even if the covered entity did not act to set free anything. It defies reason to say an entity affirmatively acts to disclose information when someone steals it. That is not how HHS defined “disclosure” in the regulation. So HHS may not define it that way in an
adjudication.

That seems to indicate that even if data is definitely viewed and even copied by unauthorized individuals, it would not be a disclosure or breach under HIPAA.  Somehow that doesn’t sound right to me, but maybe smarter heads than mine understand and can explain this.

Category: Commentaries and AnalysesHealth DataHIPAAOf NoteU.S.

Post navigation

← Brazilian Data Protection Authority Publishes Regulatory Strategy for 2021 – 2023
RBNZ says partner Accellion kept it in the dark about data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.