Fifth Circuit Vacates $4.3 Million M.D. Anderson HIPAA Penalty in Data Privacy Dispute

    On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit vacated a $4.3 million civil monetary penalty charged by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) over alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

    The Fifth Circuit found that 1) M.D. Anderson employed several mechanisms for encrypting electronic protected health information (ePHI) and email communication systems, 2) M.D. Anderson did not intentionally try to disclose ePHI, and 3) the OCR did not prove that individuals outside M.D. Anderson had actually received the ePHI, thus finding the OCR’s civil monetary penalty “arbitrary, capricious, and otherwise unlawful.”

    Read more at the National Law Review

    Read the Opinion

    Need a Data Privacy, Protection, and Security expert?

    If you are in need of an expert with experience in data privacy and data security disputes, we invite you to consider DisputeSoft.