On November 5, 2019, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services entered into a settlement with the University of Rochester Medical Center (“URMC”) to pay $3 million dollars to the OCR and take substantial corrective action for potential violations of the HIPAA privacy and security rules. It should be noted that URMC admitted no liability in its settlement with the OCR. Click here to view the press release.

The settlement comes as a result of two breaches of unsecured electronic protected health information (“ePHI”) in 2013 and 2017 respectively. Both breaches involved the loss and/or theft of unencrypted mobile devices containing unsecured ePHI. In one case the mobile device was an unencrypted flash drive and in the other an unencrypted personal laptop. The government’s investigation into the incidents indicated that URMC:

  1. Failed to conduct an accurate and thorough risk analysis of the potential risks to ePHI held my URMC;
  2. Failed to implement sufficient security measures to the comply with the HIPAA security rule;
  3. Failed to implement sufficient policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility and within the facility; and
  4. Failed to implement sufficient mechanisms to encrypt and decrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption.

This settlement should serve as an indication to HIPAA covered entities that compliance with the HIPAA privacy and security rules is not just an expectation but a requirement. Failure to adhere to the requirements of the HIPAA privacy and security rule could expose HIPAA covered entities to significant sanctions.

Covered entities can reduce the exposure to potential fines and penalties by ensuring that they have adequately addressed the requirements of the HIPAA privacy and security rules. In particular, a thorough risk analysis can provide a covered entity with an accurate understanding of the entity’s compliance with HIPAA. Based on the results of its risk analysis, a covered entity will have the information needed to make sure that it has adequate safeguards in place to maintain the confidentiality, integrity and availability of its ePHI.

If you have any questions, please contact Gunster health care practice shareholder Bill Dillon.

Yes! Please sign me up to receive email alerts from other Gunster practice areas.

This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.

About Gunster

Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 12 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Fort Lauderdale, Jacksonville, Miami, Orlando, Palm Beach, Stuart, Tallahassee, Tampa, The Florida Keys, Vero Beach, and its headquarters in West Palm Beach. With nearly 200 attorneys and 200 committed support staff, Gunster is ranked among the National Law Journal’s list of the 500 largest law firms and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practice areas, offices and insider’s view newsletters is available at


Find a Professional

by Name

by Practice/Office