The University of Rochester Medical Center’s (URMCs) ignorance towards HIPAA compliance has costed them a $3 million fine. Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) held URMC responsible for two separate counts of HIPAA compliance violation that took place in 2013 and 2017.
URMC reported of a data breach in 2013 when it lost an unencrypted flash drive (USB drive) which contained protected health information (PHI) of its patients on February 15, 2013. In response to this data breach reporting, OCR notified URMC that it was initiating an investigation regarding URMCs HIPAA compliance.
On January 26, 2017, OCR again received a notification from URMC regarding another data breach. This time, URMC reported that an unencrypted personal laptop of one of its resident surgeons containing 43 PHI records of its patients was stolen from its treatment facility. OCR once again carried out HIPAA compliance audit on URMC for this incidence.
During their audit, OCR found URMC flouting HIPAA compliance rules on both the instances and the following were the parameters:
Risk Analysis: URMC failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all PHI patient records under URMCs physical and virtual custody, including the ePHI records on the lost flash drive and stolen laptop computer.
Security Measures Definition: Failed to implement the required security measures essential to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with HIPAA.
Security Policies Implementation: URMC failed to implement and exercise device and media control in its facility.
Device and Media Encryption: It failed to implement the required encryption and decryption mechanisms to keep PHI records safe.
Not just this, but OCR termed URMC as a repeated offender of HIPAA compliance. Why? Back in 2010, URMC was involved in another lost unencrypted flash drive that resulted in a data breach incidence. Despite OCR’s recommendations and assistance back then, URMC permitted the use of unencrypted mobile devices and flash drives.
In a stern statement, Roger Severino, OCR Director said, “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”
In addition to the $3 million fine, OCR also directed URMC to undertake a corrective action plan which includes two years of monitoring their compliance with the HIPAA Rules.