By Theresa Defino
Covered entities (CEs) and business associates (BAs) should not fear a large penalty from the HHS Office for Civil Rights (OCR) for HIPAA violations overall; specifically, the agency shouldn’t be fining organizations that haven’t fully encrypted their IT systems and devices. And OCR’s historical interpretation of what constitutes an impermissible disclosure is wrong, the Fifth Circuit Court of Appeals also said, which can serve as an argument for CEs and BAs defending against OCR enforcement action for alleged HIPAA violations.[1]
Clarification on encryption and disclosures are the legacy of the case the University of Texas MD Anderson Cancer Center began nearly 10 years ago against OCR, which sought to impose a $4.348 million civil money penalty related to three breaches in 2012 and 2013. Attorney Scott McBride discussed the case in an interview with RPP, including why officials were committed to seeing the litigation through to the Supreme Court if necessary.[2]