Court ruling in lost PHI case muddies HIPAA waters
A recent court decision ruling that a HIPAA-covered entity was not liable for losing a hard drive containing patients' protected health information could have big implications for future cases in the realm of privacy and security.
A California appeals court has ruled that the Board of Regents at the University of California can't be held accountable when they lost the hard drive of a UCLA Health physician containing PHI of more than 16,000 patients – including the plaintiff, Melinda Platter – as officials could not confirm that patient data was actually accessed.
For business associates and covered entities who may deem this a legal win if, say, they happen to lose or misplace devices containing patient data, there's one important detail to remember: The hard drive was encrypted. Thus, the implications of the ruling are lesser than for groups currently facing legal woes over failing to protect patient data by forgoing encryption.
Reportedly, however, a note containing the encryption password also went missing.
The court decision was also made under a California state law, the Confidentiality of Medical Information Act, not federal HIPAA guidelines.
According to the U.S. Department of Health and Human Services, 40 percent of reported healthcare data breaches involve a lost or stolen laptop or mobile device.
The California case stemmed from a November 2011 incident when the encrypted hard drive was stolen from the home of a UCLA Health System physician. In October 2012, Platter filed suit, alleging "unlawful disclosure of confidential medical information in violation of CMIA."
The appeals court ruled that "because Platter cannot allege her information was improperly viewed or otherwise accessed, we grant the Regents' petition and issue a writ of mandate to the superior court directing it to vacate its order overruling."
Just last month, Advocate Health – who in August reported the second largest HIPAA data breach to date after four unencrypted laptops were stolen from its facility compromising the protected health information of more than 4 million people – was slapped with a class action lawsuit filed by affected patients.