This afternoon, the Office for Civil Rights (OCR) announced a $3,000,000 HIPAA settlement with the University of Rochester Medical Center (URMC). This settlement resolves Privacy and Security Rule allegations.
In 2013, URMC submitted a breach report to OCR after an unecnrypted flash drive containing PHI was lost.
In 2017, URMC again submitted a breach report, after an unencrypted laptop containing PHI was stolen.
OCR investigated and found:
- URMC did not conduct an enterprise-wide HIPAA Security risk analysis
- URMC lacked security measures to mitigate risks and vulnerabilities
- URMC did not use device and media controls
- URMC did not encrypt ePHI "when it was reasonable and appropriate to do so"
The OCR also pointed out that URMC continued to store ePHI on unencrypted mobile devices even though it was aware of the high risk of unencryption.
- If your organization has not conducted a HIPAA Security risk analysis - or if you have not revisited that analysis within the past year or since your IT environment or PHI uses have changed - it's time to conduct one (and mitigate the risks and vulnerabilities you find).
- The OCR seems increasingly hesitant to find reasons for not encrypting "reasonable and appropriate." If you have unencrypted ePHI on mobile devices or stored or transmitted elsewhere, make encryption a high priority. The OCR makes clear that organizations who identify security risks and fail to mitigate them in a timely manner will face consequences.