The Fifth Circuit Court of Appeals recently handed down a landmark decision criticizing and restricting how the Department of Health and Human Services Office of Civil Rights’ (OCR) interprets HIPAA and OCR’s penalty authority. OCR brought an enforcement action against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) stemming from three alleged data breaches and violations of various HIPAA requirements. OCR imposed a US$4,348,000 penalty, which M.D. Anderson appealed up to the Fifth Circuit. In rejecting the penalty, the Court criticized not only OCR’s interpretation of the HIPAA regulations generally but also OCR’s penalty calculation in this case. Our report on the decision prepared by Elliot Golding, Kristin Bryan and Christina Lamoureux is available here.