URMC Pays $3 Million HIPAA Penalty for Failure to Encrypt Mobile Devices

The University of Rochester Medical Center (URMC) paid OCR $3 million as HIPAA penalty for failing to implement encryption on mobile gadgets and for other violations of HIPAA rules.

URMC is one of New York State’s biggest health systems with over 26,000 employees at its Medical Center and many other facilities of the health system, such as the School of Dentistry and Strong Memorial Hospital.

The Department of Health and Human Services’ Office for Civil Rights (OCR) investigated UMRC after receiving two breach reports in 2013 and 2017. One was about an unencrypted flash drive that was lost and the other was about a stolen unencrypted laptop computer.

The first time OCR investigated URMC was in 2010 because of a breach similar to the case of a lost flash drive. In that case, OCR gave URMC technical compliance assistance. In the most recent investigation, OCR discovered several HIPAA Rules violations, including noncompliance in areas that URMC should have resolved after getting technical assistance in 2010.

The HIPAA does not require data encryption. But covered entities must conduct a risk analysis and assess if it is necessary to use encryption for security. Another security option may be used in place of encryption when it offers a comparable level of security.

In the case of URMC, the risk assessment revealed that not using encryption presented a high risk to the integrity, confidentiality, and availability of ePHI. Still, URMC failed to use encryption and kept on using unencrypted mobile gadgets with ePHI. That is a violation of 45 C.F.R. § 164.31 2(a)(2)(iv).

OCR’s investigation revealed that there were 43 patients’ ePHI stored in the stolen laptop. As a result, the information was considered as impermissibly disclosed as per 45 C.F.R. §164.502(a). OCR likewise confirmed that URMC was unable to perform a thorough, company-wide risk analysis as required by 45 C.F.R. § 164.308(a)(1)(ii)(A).

URMC violated 45 C.F.R. §164.308(a)(l)(ii)(B) when it didn’t sufficiently manage risks and reduce them to a reasonable and appropriate level. It also violated 45 C.F.R. § 163.310(d) when it did not implement the policies and procedures regulating the receipt and taking away of hardware and electronic media to and from its facilities.

Besides the $3,000,000 financial fine, URMC needs to undertake a solid corrective action plan to deal with all areas of noncompliance seen by OCR. OCR will be monitoring URMC’s compliance work in the following two years to make sure strict compliance.

The failure to encrypt mobile systems unnecessarily puts at risk patient health information. After covered entities are made aware of their failures and failing to correct the problem, they will be held accountable for their negligence.

This is the 6th financial penalty OCR issued in 2019 to organizations that violated the Health Insurance Portability and Accountability Act. It is the fourth enforcement activity that involved a risk analysis failure, which is the most common HIPAA violation.