Reading the Fifth: The Law
In the 5th Circuit HIPAA case, the 5th Circuit rejected OCR’s conclusion that MD Anderson had failed to implement a mechanism to encrypt ePHI. M.D. Anderson had implemented several mechanisms to encrypt ePHI, including an “IronKey” for mobile device encryption and decryption, as well as a mechanism to encrypt emails. By doing so, the 5th Circuit held, M.D. Anderson satisfied the only legal requirement at issue: the requirement to implement a mechanism to encrypt PHI.
The judge, the 5th Circuit held, erred in finding that the Encryption Rule required more than what the plain text of the rule required. The rule simply requires that a covered entity or business associate implement a mechanism to encrypt ePHI. The judge interpreted the rule to mean that covered entities were required to assure that “All systems containing ePHI be inaccessible to unauthorized users.” In other words, the judge invented a requirement under which not only must a covered entity implement a mechanism for encryption – the mechanism must be foolproof. And, if it is not, the judge reasoned, HIPAA has been violated. The 5th Circuit rejected the judge’s reasoning, finding that the encryption “failure” by M.D. Anderson was that three employees failed to abide by the encryption mechanism, or that the mechanism was not rigorously enforced. (M.D. Anderson might have done a better job of training its workers on how to secure mobile devices from theft, though). Since, though, all that was required was for M.D. Anderson to HAVE a mechanism, which it did, there was no HIPAA violation.
The Fifth Circuit likewise rejected the judge’s conclusion that MD Anderson committed a Privacy Rule violation. The Privacy Rule, as relevant to this case, prohibits a covered entity from “disclosing” PHI. The rule defines disclosure as “the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.”
The judge concluded that what this means is that a covered entity violates the “