On November 5, 2019, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services entered into a settlement with the University of Rochester Medical Center (“URMC”) to pay $3 million dollars to the OCR and take substantial corrective action for potential violations of the HIPAA privacy and security rules. It should be noted that URMC admitted no liability in its settlement with the OCR. Click here to view the press release.
The settlement comes as a result of two breaches of unsecured electronic protected health information (“ePHI”) in 2013 and 2017 respectively. Both breaches involved the loss and/or theft of unencrypted mobile devices containing unsecured ePHI. In one case the mobile device was an unencrypted flash drive and in the other an unencrypted personal laptop. The government’s investigation into the incidents indicated that URMC:
- Failed to conduct an accurate and thorough risk analysis of the potential risks to ePHI held my URMC;
- Failed to implement sufficient security measures to the comply with the HIPAA security rule;
- Failed to implement sufficient policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility and within the facility; and
- Failed to implement sufficient mechanisms to encrypt and decrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption.
This settlement should serve as an indication to HIPAA covered entities that compliance with the HIPAA privacy and security rules is not just an expectation but a requirement. Failure to adhere to the requirements of the HIPAA privacy and security rule could expose HIPAA covered entities to significant sanctions.
Covered entities can reduce the exposure to potential fines and penalties by ensuring that they have adequately addressed the requirements of the HIPAA privacy and security rules. In particular, a thorough risk analysis can provide a covered entity with an accurate understanding of the entity’s compliance with HIPAA. Based on the results of its risk analysis, a covered entity will have the information needed to make sure that it has adequate safeguards in place to maintain the confidentiality, integrity and availability of its ePHI.
If you have any questions, please contact Gunster health care practice shareholder Bill Dillon.