The University of Rochester Medical Center (URMC) has agreed to pay $3 million for a potential HIPAA violations settlement. Master three takeaways so your practice doesn’t land on the same costly path.

URMC in New York State which includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital filed breach reports with the U.S. Department of Health & Human Services in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively.

Tip 1: Prevent HIPAA Violations By Knowing What Is Secure and Not

Secure messaging is not about you logging in with a password to send a message. “Both the front and back end need credentials,” says HIPAA expert John Brewer in “Head Off HIPAA Text/Email Errors and Massive Penalties.”

The transmission must be secure. What is NOT secure? Email in general including Gmail, Yahoo! Mail, Outlook.com, texting and more is not secure. What IS secure? Your patient portal (if HIPAA compliant), Snail Mail, FAX with proper procedures in place, Express Delivery (FedEx/UPS/USPS) is secure.

Tip 2: Encrypt Your Devices to Derail HIPAA Breaches

OCR’s investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures enough to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR Director.

Tip 3: Take Corrective Action Seriously or Face Neglect Charges

When you perform a risk assessment or do internal training and identify weaknesses, be sure to work to fix them. Failing to take corrective action will cost you big. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect,” Severino said.

Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile 

Tool: Protect your practice with this Sample Mobile Device Policy for Acceptable Use template.

You’ll prevent hefty HIPAA violations and fines that could result from the inappropriate use of mobile devices and unsuspected breaches.  

Documents: HHS press release: https://www.hhs.gov/about/news/2019/11/05/failure-to-encrypt-mobile-devices-leads-to-3-million-dollar-hipaa-settlement.html

Resolution agreement and corrective action plan: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/urmc/index.html.

Commonly Purchased HIPAA Violations Prevention Online Trainings and Resources