New York Medical Center Hit $3 Million HIPAA Penalty for Lack of Encryption

by | Nov 7, 2019

The University of Rochester Medical Center (URMC) has been sanctioned with $3 million HIPAA penalty for not encrypting mobile devices and other HIPAA breaches.

URMC is one of the biggest health systems in New York State with more than 26,000 staff at the Medical Center and various other components of the health system, including Strong Memorial Hospital and the School of Dentistry.

The Department of Health and Human Services’ Office for Civil Rights (OCR) began an investigation after the receipt of two breach reports from UMRC – the loss of an unencrypted flash drive and the theft of an unencrypted laptop computer between 2013 and 2017.

This was not the first occasion OCR had investigated URMC. An investigation was launched in 2010 following a similar breach involving a lost flash drive. In that instance, OCR provided technical compliance assistance to URMC. The most recent investigation uncovered multiple breaches of HIPAA Rules, including areas of noncompliance that should have been addressed after receiving technical assistance from OCR in 2010.

Under HIPAA, data encryption is not mandatory. After a risk analysis, as part of the risk management process, covered entities must review whether encryption is an appropriate security measure. An alternative safeguard can be put in place, rather than using encryption, if it provides an equivalent level of protection.

In this instance, URMC had assessed risk and found that the lack of encryption posed a high danger to the confidentiality, integrity, and availability of ePHI, yet failed to implement encryption when it was appropriate and continued to use unencrypted mobile devices that contained ePHI, breaching of 45 C.F.R. § 164.31 2(a)(2)(iv).

OCR’s investigation revealed that the ePHI of 43 patients was included on the stolen laptop and as a result of the theft, that information was impermissibly shared – 45 C.F.R. §164.502(a). OCR also determined that URMC had failed to completed a comprehensive, organization-wide risk analysis – 45 C.F.R. § 164.308(a)(1)(ii)(A) – that included all risks to the confidentiality, integrity, and availability of ePHI, and covered ePHI stored on the lost and stolen devices.

Risks had not been adequately managed and reduced to reasonable and acceptable level – 45 C.F.R. §164.308(a)(l)(ii)(B) – and policies and processes governing the receipt and removal of hardware and electronic media in and out of its facilities had not been implemented – 45 C.F.R. § 163.310(d).

Along with the $3,000,000 financial penalty, URMC is required to use a robust corrective action plan to remedy all aspects of noncompliance identified by OCR. URMC’s compliance efforts over the next two years will be reviewed by OCR to ensure continuing compliance.

OCR Director Roger Severino said: “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

This is the sixth financial penalty of 2019 that OCR has sanctioned to resolve violations of the Health Insurance Portability and Accountability Act and it is the fourth enforcement action to cite a risk analysis failure.

The risk analysis is one of the chief elements of HIPAA compliance and a risk analysis failure is the most commonly witnessed HIPAA violation cited in OCRs enforcement actions.

OCR has published a risk assessment tool to assist covered entities and business associates adhering with this aspect of HIPAA.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy