The University of Rochester Medical Center (URMC) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Service (HHS) entered into a $3 million no-fault settlement agreement and two year corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

In May 2013, URMC notified OCR regarding a breach of unsecured electronic protected health information (ePHI) stemming from the loss of a flash drive. OCR did not note the total number of individuals affected by the lost flash drive. Later in January 2017, URMC notified OCR about another breach of unsecured ePHI as a result of the theft of a laptop personally owned by one of URMC’s resident surgeons that contained 43 patients’ ePHI. OCR’s investigations into these two incidents revealed that URMC failed to:

1. Conduct a thorough and accurate risk assessment of the potential risks and vulnerabilities to the ePHI held by URMC;

2. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;

3. Implement sufficient policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within a facility; and

4. Implement sufficient mechanisms to encrypt and decrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement equivalent alternative measures to encryption to safeguard ePHI.

This is one of the largest settlement amounts that OCR has agreed to this year. The settlement serves as a reminder to health care businesses to implement sufficient policies and procedures to ensure the security of employee devices and media.