NY Attorney General HIPAA Fine for URMC

by | Dec 10, 2015

An HIPAA fine of $15,000 has been issued by the attorney general to University of Rochester Medical Center for a breach of patient privacy that happened in March, 2015.

It is not only the Office for Civil Rights that issues financial penalties for violations of HIPAA Rules. State attorneys general can also implement HIPAA Privacy, Security, and Breach Notification Rules.

State attorneys general were allocated the power to assist OCR with the enforcement of Health Insurance Portability and Accountability Act Rules after the introduction of the HITECH Act in 2009, although few state AGs have opted to do so. Action is sometimes taken against healthcare organizations that have released the data of patients, but the decision is taken to prosecute under state consumer protection laws instead of HIPAA.

The first ever attorney general HIPAA fine was issued by the Connecticut AGs office on July, 6, 2010. HealthNet Inc. was fined $250,000 for the loss of a hard drive containing the PHI of 1.5 million individuals. Since then, a number of states have opted to implement HIPAA fines, with the North Eastern states using this action the most. Connecticut, Massachusetts, Vermont, and now New York, have all taken action over HIPAA breaches that have affected people in those states.

As reported orevious occasions, the University of Rochester medical center data breach happened in March of this year. A nurse practitioner was due to leave her role at URMC and take up a new position with a different healthcare supplier. Before she departed, she asked URMC provide her with a list of patients and URMC obliged. The nurse then took that list to her new role, who sent letters to the patients confirming the nurse’s new position; offering them the chance to continue their care with the same nurse, in the new medical facility. The list was provided to ensure the level of care patients received from URMC would not diminish. In total, 3,403 individuals had their privacy breached.

Medical care may be given by a nurse, or other healthcare professional; however, it is the healthcare facility that must implement measures to keep patient data secure.

Patients may choose to change healthcare provider to continue their treatment with a specific personal. Each patient has the right to receive medical care in the facility of their choice. During the course of a consultation a person can explain to a patient that they are changing roles, but nurses and other healthcare professionals are not allowed to take patient data with them when they leave for another employer.

The nurse in question gave patients’ PHI to her new employer, which violated HIPAA Rules. Action could be taken against the nurse, although the NY attorney general opted to take action against URMC for providing patient data to the nurse. URMC did take action following the breach to ensure that similar incidents would not happen in the future, but it was not enough to avoid an attorney general HIPAA fine.

URMC has agreed to pay the attorney general HIPAA violation fine of $15,000, undergo a full review of policies and procedures by the OAG Task Force, comply with strict reporting requirements for the next 3 years, and conduct ongoing training of the workforce within 60 days. All new members of staff must also receive complete training on HIPAA rules before being granted access to the PHI of patients.

The resolution agreement can be downloaded here.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy