Interesting ruling by the 5th Circuit US Court of Appeals out of Louisiana. They vacated a $4.3M HIPAA penalty against MD Anderson Cancer Center. What does this mean?

FTA:

In a ruling that could have a profound impact on HIPAA enforcement, a U.S. Court of Appeals has vacated a $4.3 million HIPAA civil monetary penalty levied by federal regulators against the University of Texas MD Anderson Cancer Center in the wake of three breaches involving unencrypted mobile devices. The court called the penalty "arbitrary, capricious and contrary to law."

Among the reasons for vacating the penalty, the court noted that MD Anderson at the time of the incidents had in place a "mechanism" to encrypt PHI on mobile devices, but three employees failed to use the encryption control before the laptop and two USB drives vanished.

The court also criticized how HHS calculated the financial penalty.

"The ruling undermines the entire OCR enforcement approach, indicating that it is arbitrary and capricious for OCR to select a few cases for financial enforcement if the result is that similar fact patterns are enforced differently."

---------