Insight

On November 5, 2019, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services entered into a settlement with the University of Rochester Medical Center (“URMC”) to pay $3 million dollars to the OCR and take substantial corrective action for potential violations of the HIPAA privacy and security rules. It should be noted that URMC admitted no liability in its settlement with the OCR. Click here to view the press release.

The settlement comes as a result of two breaches of unsecured electronic protected health information (“ePHI”) in 2013 and 2017 respectively. Both breaches involved the loss and/or theft of unencrypted mobile devices containing unsecured ePHI. In one case the mobile device was an unencrypted flash drive and in the other an unencrypted personal laptop. The government’s investigation into the incidents indicated that URMC:

  1. Failed to conduct an accurate and thorough risk analysis of the potential risks to ePHI held my URMC;
  2. Failed to implement sufficient security measures to the comply with the HIPAA security rule;
  3. Failed to implement sufficient policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility and within the facility; and
  4. Failed to implement sufficient mechanisms to encrypt and decrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption.

This settlement should serve as an indication to HIPAA covered entities that compliance with the HIPAA privacy and security rules is not just an expectation but a requirement. Failure to adhere to the requirements of the HIPAA privacy and security rule could expose HIPAA covered entities to significant sanctions.

Covered entities can reduce the exposure to potential fines and penalties by ensuring that they have adequately addressed the requirements of the HIPAA privacy and security rules. In particular, a thorough risk analysis can provide a covered entity with an accurate understanding of the entity’s compliance with HIPAA. Based on the results of its risk analysis, a covered entity will have the information needed to make sure that it has adequate safeguards in place to maintain the confidentiality, integrity and availability of its ePHI.

If you have any questions, please contact Gunster health care practice shareholder Bill Dillon.

Related Professionals

Jump to Page

Gunster Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek