In a dramatic rebuttal of how the Department of Health and Human Services Office of Civil Rights’ (“OCR”) has historically enforced HIPAA with potential far-ranging consequences, the Fifth Circuit Court of Appeals recently handed down a landmark decision criticizing and restricting how OCR interprets HIPAA and OCR’s penalty authority.  OCR brought an enforcement action against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”) stemming from three separate alleged data breaches and violations of various HIPAA requirements. OCR imposed a US$4,348,000 penalty, which M.D. Anderson appealed.  The case eventually reached the Fifth Circuit Court of Appeals.  In rejecting the penalty, the Court criticized not only OCR’s interpretation of the HIPAA regulations generally but also OCR’s penalty calculation in this case.  Our report on the decision prepared by Kristin Bryan and Christina Lamoureux is available here