Our healthcare team recently published a LawFlash on a significant victory in the US Court of Appeals for the Fifth Circuit for The University of Texas MD Anderson Cancer Center. The case involved an appeal of a proposed civil money penalty (CMP) related to a Health Insurance Portability and Accountability Act data breach enforcement action brought by the US Department of Health and Human Services' Office for Civil Rights (OCR).
The landmark victory resulted in a vacated CMP of $4.3 million. The published opinion found that HHS had no lawful basis for its CMP penalties and found that the order against MD Anderson was unlawful under the Administrative Procedure Act. OCR has become more aggressive in pursuing fines from healthcare providers over the last few years, and this decision brings an end to this multiyear case, which included two levels of administrative appeals before petitioning the Fifth Circuit for review. This is a major victory, in particular with respect to stolen devices and encryption requirements, that will impact OCR enforcement actions going forward across the healthcare industry.