Large New York State Health System Agrees To Pay $3 Million For Its Failure to Repeatedly Encrypt Mobile Devices

Bruce Armon
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing Arnstein & Lehr LLP

On November 5, 2019, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) announced a $3 million settlement with the University of Rochester Medical Center (URMC) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.   URMC admitted no wrongdoing as part of the OCR settlement.  

As part of the URMC Resolution Agreement,  URMC will be subject to a two-year Corrective Action Plan (CAP).

In May 2013, URMC submitted a breach report to OCR because it lost an unencrypted flash drive containing electronic protected health information (ePHI) the previous month.  In June 2013, OCR initiated an investigation surrounding URMC’s HIPAA compliance.  In January 2017, URMC again contacted OCR because one of its unencrypted laptops containing 43 patients’ ePHI was stolen from a treatment facility.  OCR initiated an additional HIPAA compliance investigation assessing URMC’s practices.  In  2010, OCR investigated URMC because of its loss of an unencrypted flash drive, and OCR provided technical assistance to URMC relating to HIPAA compliance. 

As part of the two-year CAP, URMC agreed to each of the following:

  • conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality and availability of ePHI and prepare and share with HHS a statement of work of its risk analysis;
  • develop and implement a risk management plan, subject to HHS approval;
  • develop a process to evaluate any environmental or operational changes that affect the security of URMC’s ePHI;
  • review and revise its Privacy and Security Rules Policies and Procedures to ensure HIPAA compliance;
  • promptly investigate reported incidents related to its workforce members failing to comply with URMC’s adopted, revised Policies and Procedures;
  • provide HHS with training materials addressing the requirements of the Privacy, Security and Breach Notification Rules that will be used for appropriate workforce members;
  • submit an implementation report and annual CAP compliance reports to OCR.

The OCR settlement is a critical – and costly – reminder for all HIPAA-covered entities that the obligation to safeguard ePHI includes the security of electronic hardware, including laptops, flash drives and cell phones that are used daily by HIPAA-covered entities and their workforce members.

This OCR settlement may be an example of three strikes and you are “out” given the 2010, 2013 and 2017 incidents affecting URMC.  All covered entities should review their policies and processes to ensure they protect a patient’s rights under HIPAA.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide