URMC Takes Steps to Avoid Future Patient Privacy Violations

by | Jul 19, 2015

In May, The University of Rochester Medical Center experience a data violation after a member of staff took the Protected Health Information (PHI) of patients to a new employer,

The employee in question,  who was trying to ensure continuity of patient care, was a nurse practitioner in the Department of Neurology. She was concerned about patient continuity of care after she left her employment. She was supplied with a printed list of patient’s information by the medical center for the purposes of adding notes and information that would ensure that patients did not experience any fall in care standards as a result of her departure from the role. The list of patients was not collected prior to the employee leaving her employment, and the data was subsequently disclosed to her new employer (full story here).

With the benefit of hindsight, it was perhaps ill advisable to have provided printed PHI to a member of staff about to take employment with another local healthcare provider. However, all that can be done now is notify the patients concerned and make changes to policies and procedures to ensure a similar incident cannot happen again, or as far as it is practical and possible to do so.

Many healthcare suppliers suffering a data breach inform patients that they are putting in place new security measures to improve privacy protections, but do not go into much detail on what those measures are made up of The University of Rochester Medical Center has decided to focus on transparency, and made the decision to reveal the changes it has made to address the risk of PHI exposure.

After any improper disclosure of information by a present or former member of staff, further training should be provided on privacy rules. URMC is beginning a program of re-enlightenment, and will be instructing physicians, nurses and other suppliers of healthcare services of their obligations under HIPAA, and under the new hospital policies that are being formulated.

David Kirshner, senior vice president and chief financial officer for URMC, recently said referring to the new policies, “There are do’s and don’ts, and those are being very clearly spelled out in the policy guidelines that we’re drafting.”

The medical center formed a privacy and security committee two years ago which has been addressing data security privacy weaknesses. The medical center has made attempts to maintain compliance with HIPAA rules and prevent data breaches, although the recent breach showed inadequacies in policies.

The committee has discussed the incident and assessed security and privacy measures and procedures in an effort to prevent similar data violations from occurring in the future. The committee accepted that the nurse practitioner, Martha Smith Lightfoot, should not have taken personal information and given it to her new employer, but also that the nurse should never have been supplied with the list in the first place.

One of the policy changes being implemented is a new restriction on official communications with patients. Rather than allow information relating to continuity of care and care services to be given to patients by physicians and nurses; those communications will now be handled at a departmental level.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy