University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services
United States Court of Appeals for the Fifth Circuit
985 F.3d 472 (5th Cir. 2021)
- Written by Sean Carroll, JD
Facts
A trainee and a visiting researcher at the University of Texas M.D. Anderson Cancer Center (Anderson) (plaintiff) each lost a USB drive containing individuals’ electronic protected health information (ePHI). The USB drives were not encrypted. Additionally, an Anderson faculty member had a laptop stolen. The laptop was not encrypted or password-protected and also contained individuals’ ePHI. Under the encryption rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), all entities covered by HIPAA were required to implement a mechanism to encrypt and decrypt ePHI. The United States Department of Health and Human Services (HHS) (defendant) imposed a civil penalty of $4,348,000 against Anderson for violation of this requirement. Anderson challenged the penalty in federal court. Anderson presented evidence that it had implemented an encryption mechanism. Anderson also presented evidence that HHS had seen other companies violate the encryption rule in the past without imposing any civil penalties.
Rule of Law
Issue
Holding and Reasoning (Oldham, J.)
What to do next…
Here's why 832,000 law students have relied on our case briefs:
- Written by law professors and practitioners, not other law students. 46,500 briefs, keyed to 994 casebooks. Top-notch customer support.
- The right amount of information, includes the facts, issues, rule of law, holding and reasoning, and any concurrences and dissents.
- Access in your classes, works on your mobile and tablet. Massive library of related video lessons and high quality multiple-choice questions.
- Easy to use, uniform format for every case brief. Written in plain English, not in legalese. Our briefs summarize and simplify; they don’t just repeat the court’s language.
