In an important recent case, the US Fifth Circuit Court of Appeals rebuffed the US Department of Health and Human Services (HHS) by declaring arbitrary and capricious the $4,348,000 fine HHS levied against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) for three HIPAA violations involving the loss of patient data from unencrypted devices. In so doing, the court held that HHS misinterpreted three important provisions of the HIPAA regulations — the Encryption Rule, the Disclosure Rule, and the $100,000-per-calendar-year cap on all violations of an identical requirement or prohibition. In addition, the court found that HHS had violated the requirement for an agency to either treat like cases alike or justify why that was not done.

For any hospital or other covered entity that has labored under the HHS misinterpretations, the M.D. Anderson case gives renewed opportunity to challenge out-of-line penalties and fines for actions that in fact are legal under the current regulations. Continue reading >