University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services
University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services (U.S. Court of Appeals, 5th Circuit, January 14, 2021): The 5th Circuit vacated a $4.3 million HIPAA-related penalty imposed on the M.D. Anderson Cancer Center due to loss of technologic equipment containing electronic personal health information (ePHI) of more than 33,000 people. The court held that fine was arbitrary and capricious in contravention of the Administrative Procedure Act based on 4 separate grounds: (1) M.D. Anderson maintained an encryption “mechanism” in compliance with the Encryption Rule; (2) M.D. Anderson lost control of the ePHI, but did not affirmatively release it; (3) the administrative law judge failed to “treat like cases alike,” declining to utilize a comparative standard; and (4) the penalty amounts exceeded per-year reasonable limitations. Read the full decision here.