In 2017, the University of Texas MD Anderson Cancer Center was assessed $4.3 million in penalties for violating HIPAA. The penalties were the result of an investigation by the HHS Office for Civil Rights (OCR) that occurred after MD Anderson reported three data breaches involving the theft of an unencrypted laptop and the loss of two unencrypted USB thumb drives.
MD Anderson appealed the OCR’s decision, and on January 15, 2021, the Fifth Circuit Court of Appeals vacated the penalty.
“The Fifth Circuit disagreed with OCR’s (and the ALJ’s) interpretation of both the encryption and disclosure provisions, and also determined that the penalty issued by the agency was ‘arbitrary, capricious, and otherwise unlawful,’” according to an article on the JD Supra website.
Read more about the Firth Circuit Court’s decision, and its possible effects on OCR investigations going forward.