The University of Rochester Medical Center (URMC) has agreed to pay $3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital. URMC is one of the largest health systems in New York State with over 26,000 employees.
URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively.
OCR’s investigation revealed that
- URMC failed to conduct an enterprise-wide risk analysis
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
- Utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so
Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.
In addition to the monetary settlement, URMC will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.
A mobile device includes smart phones, tablets, e-readers, laptops, and flash drives. If these devices have NPPI (non-public private information) or PHI (protect health information) you as an employer could be liable for a HIPAA violation and penalties that start at $50,000 up to $1.5 million.