NY Attorney General HIPAA Fine for URMC

An HIPAA fine of $15,000 has been issued by the attorney general to University of Rochester Medical Center for a breach of patient privacy that happened in March, 2015.

It is not only the Office for Civil Rights that issues financial penalties for violations of HIPAA Rules. State attorneys general can also implement HIPAA Privacy, Security, and Breach Notification Rules.

State attorneys general were allocated the power to assist OCR with the enforcement of Health Insurance Portability and Accountability Act Rules after the introduction of the HITECH Act in 2009, although few state AGs have opted to do so. Action is sometimes taken against healthcare organizations that have released the data of patients, but the decision is taken to prosecute under state consumer protection laws instead of HIPAA.

The first ever attorney general HIPAA fine was issued by the Connecticut AGs office on July, 6, 2010. HealthNet Inc. was fined $250,000 for the loss of a hard drive containing the PHI of 1.5 million individuals. Since then, a number of states have opted to implement HIPAA fines, with the North Eastern states using this action the most. Connecticut, Massachusetts, Vermont, and now New York, have all taken action over HIPAA breaches that have affected people in those states.

As reported orevious occasions, the University of Rochester medical center data breach happened in March of this year. A nurse practitioner was due to leave her role at URMC and take up a new position with a different healthcare supplier. Before she departed, she asked URMC provide her with a list of patients and URMC obliged. The nurse then took that list to her new role, who sent letters to the patients confirming the nurse’s new position; offering them the chance to continue their care with the same nurse, in the new medical facility. The list was provided to ensure the level of care patients received from URMC would not diminish. In total, 3,403 individuals had their privacy breached.

Medical care may be given by a nurse, or other healthcare professional; however, it is the healthcare facility that must implement measures to keep patient data secure.

Patients may choose to change healthcare provider to continue their treatment with a specific personal. Each patient has the right to receive medical care in the facility of their choice. During the course of a consultation a person can explain to a patient that they are changing roles, but nurses and other healthcare professionals are not allowed to take patient data with them when they leave for another employer.

The nurse in question gave patients’ PHI to her new employer, which violated HIPAA Rules. Action could be taken against the nurse, although the NY attorney general opted to take action against URMC for providing patient data to the nurse. URMC did take action following the breach to ensure that similar incidents would not happen in the future, but it was not enough to avoid an attorney general HIPAA fine.

URMC has agreed to pay the attorney general HIPAA violation fine of $15,000, undergo a full review of policies and procedures by the OAG Task Force, comply with strict reporting requirements for the next 3 years, and conduct ongoing training of the workforce within 60 days. All new members of staff must also receive complete training on HIPAA rules before being granted access to the PHI of patients.

The resolution agreement can be downloaded here.