URMC Pays $3 Million HIPAA Penalty for Failure to Encrypt Mobile Devices

The University of Rochester Medical Center (URMC) spent $3 million on payment to OCR for the HIPAA penalty over its failure to use encryption on its mobile gadgets and for other HIPAA rules violations.

URMC is one of the biggest health systems in New York. The Medical Center and other health system facilities of URMC, like the School of Dentistry and Strong Memorial Hospital, have over 26,000 employees.

The Department of Health and Human Services’ Office for Civil Rights (OCR) made a decision to investigate UMRC after the receipt of two breach reports, one in 2013 and another in 2017. The first involved a missing unencrypted flash drive and the second involved an unencrypted laptop that was stolen.

The first OCR investigation of URMC was done in 2010 as a result of a breach very much like the case of the missing flash drive. OCR provided URMC with technical compliance assistance at that time. In the latest investigation, OCR saw a number of HIPAA Rules violations, such as the noncompliance in issues that should have been resolved by URMC in 2010 after receiving technical assistance.

Data encryption is not required under the HIPAA. However covered entities should decide if it needs encryption after doing a risk analysis. Another security solution can be used if it provides a similar level of security as encryption.

URMC’s risk assessment showed that without encryption, the confidentiality, integrity and availability of ePHI are at high risk. Despite that information, URMC did not use encryption and continued to use unencrypted mobile devices with ePHI. That violates 45 C.F.R. § 164.31 2(a)(2)(iv).

OCR’s investigation showed that the ePHI of 43 patients are in the stolen laptop’s storage space. Because of this, the information was regarded as impermissibly disclosed according to 45 C.F.R. §164.502(a). OCR similarly affirmed that URMC did not do a complete, organization-wide risk analysis as mandated by 45 C.F.R. § 164.308(a)(1)(ii)(A).

URMC’s violation of 45 C.F.R. §164.308(a)(l)(ii)(B) was because of not sufficiently managing risks and reducing them to a sensible and acceptable level. Not implementing the policies and procedures related to the acceptance or removal of computer hardware or electronic media to and from the facilities also constitutes a violation of 45 C.F.R. § 163.310(d).

Apart from the $3,000,000 penalty, URMC is required to do a sound corrective action plan to fix all aspects of noncompliance found by OCR. OCR is going to be strictly checking to make sure that URMC is complying in the next two years.

The inability to encrypt mobile systems endangers patient health data. Covered entities that know about their failures and do not do what is required to correct the problem will be held liable for their disregard.

This URMC financial penalty is the 6th financial penalty issued by OCR in 2019 to organizations violating the Health Insurance Portability and Accountability Act. With respect to enforcement activity involving risk analysis failure, this is the fourth.