The University of Rochester Medical Center (URMC), one of the largest health systems in New York State, has settled potential violations under the Health Insurance Portability and Accountability Act (HIPAA) for $3 million with the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS). In addition to the monetary settlement, URMC agreed to undertake corrective measures to shore up its compliance under HIPAA.
URMC filed breach reports with the OCR regarding incidents of a lost flash drive in 2013 and stolen laptop in 2017, both of which were unencrypted and contained patientsโ electronic protected health information (ePHI). As a HIPAA-covered entity, URMC is subject to HIPAAโs Privacy, Security, and Breach Notification Rules (HIPAA Rules), and HHS has the authority to conduct compliance reviews and investigations of violations of the HIPAA Rules by covered entities.
Upon these incidents, HHS investigated URMCโs HIPAA compliance and found the following:
In addition to the $3 million settlement (which is not considered an admission of liability), URMC also entered a 2-year Corrective Act Plan with HHS. Among other things, URMC agrees it will conduct a risk analysis, review and revise its current HIPAA Privacy and Security policies and procedures, and develop a risk management plan.
The HIPAA Rules impose countless requirements covered entities must understand and implement or face costly outcomes for noncompliance. Learn how to navigate through these obligations with ComplianceDashboard: HIPAA Pro!
The information and content contained in this blog post are for general information purposes only, and does not, and is not intended to, constitute legal advice.
