Univ. of Texas Case Clarified Encryption, Disclosure Definition

Covered entities (CEs) and business associates (BAs) should not fear a large penalty from the HHS Office for Civil Rights (OCR) for HIPAA violations overall; specifically, the agency shouldn’t be fining organizations that haven’t fully encrypted their information technology systems and devices.

And OCR’s historical interpretation of what constitutes an impermissible disclosure is wrong, the Fifth Circuit Court of Appeals also said,[1] which can serve as an argument for CEs and BAs defending against OCR enforcement action for alleged HIPAA violations.

Clarification on encryption and disclosures are the legacy of the case the University of Texas MD Anderson Cancer Center began nearly 10 years ago against OCR, which sought to impose a $4.348 million civil money penalty related to three breaches in 2012 and 2013. Attorney Scott McBride discussed the case in an interview with RRC, including why officials were committed to seeing the litigation through to the U.S. Supreme Court if necessary (see story, p. 1).[2]

This document is only available to subscribers. Please log in or purchase access.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field