On January 14, 2021, the United States Court of Appeals for the Fifth Circuit vacated a $4.3 million civil monetary penalty that the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) imposed against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”). OCR ordered the penalty in 2017 following an investigation into three data breaches suffered by M.D. Anderson in 2012 and 2013, finding that M.D. Anderson had violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information and Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). The Court, however, held that the penalty was “arbitrary, capricious, and otherwise unlawful,” in part based on its interpretation of the HIPAA Rules.
Continue Reading M.D. Anderson Wins Appeal Over $4.3 Million HIPAA Penalty
HITECH Amendment Provides Some Protection For Covered Entities and Business Associates that Adopt Recognized Security Standards
On January 5, 2021, an amendment to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act was signed into law. The amendment requires the U.S. Department of Health and Human Services (“HHS”) to “consider certain recognized security practices of covered entities and business associates when making certain determinations” regarding fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). For organizations subject to HIPAA, the amendment provides substantial incentives to establish or improve their cybersecurity programs. While it does not establish a complete safe harbor from HIPAA enforcement, the amendment does offer organizations a chance to mitigate financial penalties and other negative regulatory actions that may result from a data breach.
Continue Reading HITECH Amendment Provides Some Protection For Covered Entities and Business Associates that Adopt Recognized Security Standards