The University of Rochester Medical Center (URMC), one of the largest health systems in New York, recently agreed to a $3 million settlement for potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
In 2013, URMC filed a breach report to the United States Department of Health and Human Services, Office for Civil Rights (OCR) due to the loss of an unencrypted flash drive containing electronic Protected Health Information (ePHI). URMC filed another breach report in 2017 due to the theft of an unencrypted resident’s laptop containing ePHI. Upon investigating these incidents, OCR found that URMC failed to:
- conduct accurate and thorough risk analyses of potential risks and vulnerabilities to ePHI
- implement sufficient security measures to reduce risks and vulnerabilities
- implement compliant policies and procedures that govern the receipt and removal of hardware and electronic media containing PHI in and out of its facilities
- implement adequate mechanisms to encrypt and decrypt ePHI
In addition to the $3 million settlement, URMC entered a two-year corrective action plan requiring it to conduct an accurate and thorough risk analysis, develop and implement a written risk management plan to sufficiently reduce risks and vulnerabilities, and develop a process to evaluate any environmental or operational changes that affect the security of URMC ePHI. Furthermore, URMC agreed to revise its privacy and security policies and procedures, as well as retrain its employees. Once OCR approves URMC’s new measures to comply with HIPAA, URMC will be required to submit a written report regarding the implementation of its corrective action plan.
Both covered entities and business associates have a direct duty not only to file applicable breach reports, but to also implement and adhere to comprehensive HIPAA compliant policies and procedures protecting the privacy and security of ePHI. Contact Frier Levitt for assistance with drafting or reviewing your practice’s HIPAA policies and procedures.