Labs in Court

4.3 Million Is Too High a Penalty for HIPAA Violation, Says Federal Court

Case: A federal appeals court has shot down what had been the fourth largest OCR penalty for a HIPAA violation as having “no lawful basis.” That decision means that instead of $4.3 million, the University of Texas MD Anderson Cancer Center will have to pay $450,000 for failing to encrypt protected patient data. OCR doled out the fine in 2018 to settle alleged HIPAA violations associated with a trio of separate data breaches that occurred in 2012 and 2013, involving the loss and theft of an unencrypted laptop and two unencrypted flash drives containing data on approximately 33,800 patients.

Significance: HIPAA requires covered entities to “implement a mechanism to encrypt and decrypt” ePHI. There was no dispute that Anderson fell short in meeting this requirement. The issue was how big a penalty it deserved. It wasn’t like Anderson was cavalier. There were policies and training in place. But the employees involved in the breaches apparently didn’t follow them. The mechanism existed, “even if it could or should have been better,” the Fifth Circuit reasoned. The court also found that OCR failed to abide by per-year penalty caps for HIPAA violations.

[University of Texas M.D. Anderson Cancer Center v. U.S. Dept. of Health and Human Services, Case 19-60226, U.S. Fifth Circuit, January 14, 2021]

CLOSE TO VIEW ARTICLE x

You have 2 articles left to view this month.

Your 3 Free Articles Per Month Goes Very Quickly!
Get a 3 month Premium Membership to
one of our G2 Newsletters today!

Click on one of the Newsletters below to sign up now and get unlimited access to all articles, archives, and tools for that specific newsletter!

Close

EMAIL ADDRESS


PASSWORD
EMAIL ADDRESS

FIRST NAME

LAST NAME

TITLE

COMPANY

PHONE

Try Premium Membership

(-00000g2)