New York Medical Center Hit $3 Million HIPAA Penalty for Lack of Encryption

The University of Rochester Medical Center (URMC) has been sanctioned with $3 million HIPAA penalty for not encrypting mobile devices and other HIPAA breaches.

URMC is one of the biggest health systems in New York State with more than 26,000 staff at the Medical Center and various other components of the health system, including Strong Memorial Hospital and the School of Dentistry.

The Department of Health and Human Services’ Office for Civil Rights (OCR) began an investigation after the receipt of two breach reports from UMRC – the loss of an unencrypted flash drive and the theft of an unencrypted laptop computer between 2013 and 2017.

This was not the first occasion OCR had investigated URMC. An investigation was launched in 2010 following a similar breach involving a lost flash drive. In that instance, OCR provided technical compliance assistance to URMC. The most recent investigation uncovered multiple breaches of HIPAA Rules, including areas of noncompliance that should have been addressed after receiving technical assistance from OCR in 2010.

Under HIPAA, data encryption is not mandatory. After a risk analysis, as part of the risk management process, covered entities must review whether encryption is an appropriate security measure. An alternative safeguard can be put in place, rather than using encryption, if it provides an equivalent level of protection.

In this instance, URMC had assessed risk and found that the lack of encryption posed a high danger to the confidentiality, integrity, and availability of ePHI, yet failed to implement encryption when it was appropriate and continued to use unencrypted mobile devices that contained ePHI, breaching of 45 C.F.R. § 164.31 2(a)(2)(iv).

OCR’s investigation revealed that the ePHI of 43 patients was included on the stolen laptop and as a result of the theft, that information was impermissibly shared – 45 C.F.R. §164.502(a). OCR also determined that URMC had failed to completed a comprehensive, organization-wide risk analysis – 45 C.F.R. § 164.308(a)(1)(ii)(A) – that included all risks to the confidentiality, integrity, and availability of ePHI, and covered ePHI stored on the lost and stolen devices.

Risks had not been adequately managed and reduced to reasonable and acceptable level – 45 C.F.R. §164.308(a)(l)(ii)(B) – and policies and processes governing the receipt and removal of hardware and electronic media in and out of its facilities had not been implemented – 45 C.F.R. § 163.310(d).

Along with the $3,000,000 financial penalty, URMC is required to use a robust corrective action plan to remedy all aspects of noncompliance identified by OCR. URMC’s compliance efforts over the next two years will be reviewed by OCR to ensure continuing compliance.

OCR Director Roger Severino said: “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

This is the sixth financial penalty of 2019 that OCR has sanctioned to resolve violations of the Health Insurance Portability and Accountability Act and it is the fourth enforcement action to cite a risk analysis failure.

The risk analysis is one of the chief elements of HIPAA compliance and a risk analysis failure is the most commonly witnessed HIPAA violation cited in OCRs enforcement actions.

OCR has published a risk assessment tool to assist covered entities and business associates adhering with this aspect of HIPAA.