Court ruling in lost PHI case muddies HIPAA waters

A recent court decision ruling that a HIPAA-covered entity was not liable for losing a hard drive containing patients' protected health information could have big implications for future cases in the realm of privacy and security.

A California appeals court has ruled that the Board of Regents at the University of California can't be held accountable when they lost the hard drive of a UCLA Health physician containing PHI of more than 16,000 patients – including the plaintiff, Melinda Platter – as officials could not confirm that patient data was actually accessed.

For business associates and covered entities who may deem this a legal win if, say, they happen to lose or misplace devices containing patient data, there's one important detail to remember: The hard drive was encrypted. Thus, the implications of the ruling are lesser than for groups currently facing legal woes over failing to protect patient data by forgoing encryption.

Reportedly, however, a note containing the encryption password also went missing.

The court decision was also made under a California state law, the Confidentiality of Medical Information Act, not federal HIPAA guidelines.

According to the U.S. Department of Health and Human Services, 40 percent of reported healthcare data breaches involve a lost or stolen laptop or mobile device.

The California case stemmed from a November 2011 incident when the encrypted hard drive was stolen from the home of a UCLA Health System physician. In October 2012, Platter filed suit, alleging "unlawful disclosure of confidential medical information in violation of CMIA."

The appeals court ruled that "because Platter cannot allege her information was improperly viewed or otherwise accessed, we grant the Regents' petition and issue a writ of mandate to the superior court directing it to vacate its order overruling."

Just last month, Advocate Health – who in August reported the second largest HIPAA data breach to date after four unencrypted laptops were stolen from its facility compromising the protected health information of more than 4 million people – was slapped with a class action lawsuit filed by affected patients.


By Joe Petro When you tell your phone that you'd like "a table for two at the best Italian place in... More

By Ranya Habash, MD Today's physicians face an increasing array of non-clinical demands on their time, from... More

By Eric Wicklund Healthcare officials in Kansas are studying a unique participatory art project in hopes of... More

White Papers and Webinars