On November 5, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $3,000,000 settlement with the University of Rochester Medical Center (“URMC”) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules in 2013 and 2017.

According to HHS, URMC reported that protected health information (“PHI”) had been improperly disclosed after the loss of an unencrypted flash drive in 2013 and the theft of an unencrypted laptop in 2017.  HHS found that URMC had failed to undertake the appropriate measures to protect this kind of PHI, including encryption mechanisms and system-wide risk analysis.  HHS reports that it investigated a similar breach involving the loss of an unencrypted flash drive by URMC in 2010.

In addition to the monetary settlement, URMC also agreed to a Corrective Action Plan.

You can read the HHS Press Release, Resolution Agreement and Corrective Action Plan here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/urmc/index.html

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact our firm.

Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia.  Danielle can be reached via email: ddietrich@tuckerlaw.com, telephone: 412-594-5605 or on Twitter at @DLDietrich.