URMC Pays $3M to OCR for Mobile Device HIPAA Violation

^{Photo/Thumb have been modified. Courtesy of maxkabakov/Adobe Stock.}

The University of Rochester Medical Center this week agreed to pay $3 million to the Office for Civil Rights (OCR) to settle violations of the Health Insurance Portability and Accountability Act privacy and security rules relating to the failure to encrypt mobile devices.

In 2013 and 2017 the medical center filed breach reports with the OCR after discovering that protected health information was disclosed without permission due to the loss of an unencrypted flash drive and the theft of an unencrypted laptop.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, J.D., director of the OCR.

After an investigation, the OCR revealed that the University of Rochester Medical Center did not:

• Conduct an enterprise-wide risk analysis
• Implement security measures capable of reducing risks and vulnerabilities to a reasonable and appropriate level
• Use device and media controls
• Employ a mechanism to encrypt and decrypt electronic protected health information

A previous OCR investigation at the University of Rochester Medical Center in 2010 involved a similar incident in which an unencrypted flash drive was lost. Despite this, the medical center continued to use unencrypted mobile devices.

“When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect,” Severino said.

Along with paying the $3 million, the University of Rochester Medical Center entered into and agreed to comply with a corrective action plan for two years.

Requirements of the corrective action plan include conducting a risk analysis, developing and implementing a risk management plan and implementing a process for evaluating environmental and operational changes.

As part of the corrective action plan the University of Rochester Medical Center must provide the U.S. Department of Health and Human Services with training materials addressing the security, privacy and breach notification requirements. The medical center will also need to submit an implementation report and annual reports to discuss its compliance with the plan.

Get the best insights in digital health directly to your inbox.

Related

HHS and Florida Hospital Reach HIPAA Right of Access Settlement

Exploring the Role of HIPAA for Patient-Generated Data

Alexa, Are We Going to Violate HIPAA?