In a 15-page sternly worded ruling, an appeals court in New Orleans has thrown out the $4.348 million penalty the HHS Office for Civil Rights (OCR) imposed in 2017^[1] against the University of Texas MD Anderson Cancer Center for three relatively small breaches of research patient data that occurred more than eight years ago.

But MD Anderson may not be the only HIPAA covered entity (CE) to benefit from the Jan. 14 decision by the Fifth Circuit Court of Appeals, as the ruling strikes at the heart of the basis upon which OCR has historically undertaken many of its enforcement actions.

“The opinion is an important decision for all covered entities and provides additional guidance on HIPAA requirements and enforcement that had before been unavailable to health care providers,” Scott McBride, one of MD Anderson’s attorneys, told RRC. “The decision will impact the OCR’s investigation and enforcement actions and hopefully lead to a more transparent and consistent process going forward for the entire health care industry.” McBride added that he expected the impact of the decision to reach beyond the Fifth Circuit.

The panel of three justices agreed with MD Anderson’s argument that inadvertent or accidental losses and thefts don’t actually count as inappropriate or unallowable disclosures because they are passive. The appeals court also said that encryption doesn’t have to be on every single device for an entity to be deemed in compliance. MD Anderson showed it had an encryption program, but the three missing devices were not encrypted.

The case marks the first time a CE or business associate (BA) has challenged OCR to this degree, and it appears the government lost on every point. In other recent news that is also likely to be welcomed by medical research organizations, academic medical centers and universities with HIPAA-covered health care components, a bill was signed into law last month that requires HHS to base fines on an organization’s recent compliance activities—and the law is retroactive to December 2016.^[2]