On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit vacated a $4.3 million civil monetary penalty charged by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) over alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
The Fifth Circuit found that 1) M.D. Anderson employed several mechanisms for encrypting electronic protected health information (ePHI) and email communication systems, 2) M.D. Anderson did not intentionally try to disclose ePHI, and 3) the OCR did not prove that individuals outside M.D. Anderson had actually received the ePHI, thus finding the OCR’s civil monetary penalty “arbitrary, capricious, and otherwise unlawful.”