University of Rochester Medical Center Settles HIPAA Violations for $3 Million

The University of Rochester Medical Center (URMC), one of the largest health systems in New York State, has settled potential violations under the Health Insurance Portability and Accountability Act (HIPAA) for $3 million with the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS). In addition to the monetary settlement, URMC agreed to undertake corrective measures to shore up its compliance under HIPAA.

URMC filed breach reports with the OCR regarding incidents of a lost flash drive in 2013 and stolen laptop in 2017, both of which were unencrypted and contained patients’ electronic protected health information (ePHI). As a HIPAA-covered entity, URMC is subject to HIPAA’s Privacy, Security, and Breach Notification Rules (HIPAA Rules), and HHS has the authority to conduct compliance reviews and investigations of violations of the HIPAA Rules by covered entities.

Upon these incidents, HHS investigated URMC’s HIPAA compliance and found the following:

1. URMC impermissibly disclosed the ePHI of 43 patients when surgeon’s laptop was stolen in 2017.
2. Regarding the ePHI of the lost flash drive and stolen laptop, URMC failed to comply with administrative safeguards because it did not conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI held by URMC.
3. URMC failed to properly implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level required by HIPAA Rules.
4. URMC failed to implement sufficient policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI with regard to the lost flash drive and stolen laptop.
5. URMC failed to implement sufficient mechanisms to encrypt and decrypt ePHI on the lost flash drive and stolen computer. It also failed to document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI.

In addition to the $3 million settlement (which is not considered an admission of liability), URMC also entered a 2-year Corrective Act Plan with HHS. Among other things, URMC agrees it will conduct a risk analysis, review and revise its current HIPAA Privacy and Security policies and procedures, and develop a risk management plan.

The HIPAA Rules impose countless requirements covered entities must understand and implement or face costly outcomes for noncompliance. Learn how to navigate through these obligations with ComplianceDashboard: HIPAA Pro!

The information and content contained in this blog post are for general information purposes only, and does not, and is not intended to, constitute legal advice.