The Office for Civil Rights (OCR) issued a press release on November 5, 2019 discussing a $3 million HIPAA settlement reached with the University of Rochester Medical Center (URMC). URMC filed two separate breach reports in 2013 and 2017, both in reference to unencrypted devices that stored protected health information (PHI). The healthcare breaches stemmed from the loss of an unencrypted flash drive and the theft of an unencrypted laptop; both incidents resulted in the unauthorized disclosure of PHI.

How the HIPAA Settlement was Reached

URMC also experienced a breach in 2010 due to the loss of an unencrypted flash drive and received technical assistance from the OCR to address their deficiencies, however they continued to use unencrypted devices to store and access PHI. OCR Director Roger Severino said, “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.” 

Would you pass a HIPAA audit? Take this quiz to find out! 

The most recent investigation found:

  • URMC failed to conduct an enterprise-wide risk analysis; 
  • implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; 
  • utilize device and media controls; 
  • and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI).

HIPAA settlement fines are issued based on the size and type of breach. The fine tiers are as follows:

  • First Tier: the covered entity did not know and could not reasonably have known of the breach ($100-$50,000 per incident, with a maximum annual of $1.5 million).
  • Second Tier: the covered entity “knew, or by exercising reasonable diligence would have known” of the violation, though they did not act with willful neglect ($1,000-$50,000 per incident, with a maximum annual of $1.5 million).
  • Third Tier: the covered entity “acted with willful neglect” and corrected the problem within a 30-day time period ($10,000-$50,000 per incident, with a maximum annual of $1.5 million).
  • Fourth Tier: the covered entity “acted with willful neglect” and failed to make a timely correction ($50,000 per incident, with a maximum annual of $1.5 million).

The Health Information Portability and Accountability Act (HIPAA) requires organizations working with PHI to implement reasonably appropriate measures to secure the sensitive information through encryption or equally secure measures. Since URMC failed to implement encryption after they had already been warned by the OCR to do so in 2010, they were found willfully neglectful, failing to correct the issue in a timely manner, and fined at the highest tier of fines. In addition to HIPAA fines, URMC will be required to implement corrective action plans to address their deficiencies as part of the HIPAA settlement. To read the full Resolution Agreement and Corrective Action Plan Click Here.