Failure to Encrypt ePHI on Portable Devices Results in $3 Million Financial Penalty

The HHS’ Office for Civil Rights (OCR) has announced its sixth HIPAA penalty of 2019. The University of Rochester Medical Center (URMC) has paid a $3,000,000 penalty to resolve multiple violations of HIPAA Rules that were uncovered by OCR during an investigation into two breaches in 2013 and 2017.

The first incident was reported to OCR on May 6, 2013 and involved the loss of an unencrypted flash drive. The second incident was the theft of a laptop computer, which was reported to OCR on January 26, 2017. Electronic protected health information was stored on both devices and could potentially have been accessed by unauthorized individuals.

A similar breach had previously been reported to OCR by URMC in 2010. OCR also investigated that incident, but no financial penalty was issued. Instead, OCR provided technical assistance to URMC. Successive similar breaches can indicate policies and procedures may not be in order. The OCR investigation confirmed that to be the case.

OCR determined that URMC had not conducted a comprehensive, organization-wide risk analysis that included the two lost/stolen devices, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A), and risks had not been reduced to a reasonable an acceptable level through a HIPAA-compliant risk management process, in violation of 45 C.F.R. §164.308(a)(l)(ii)(B).

URMC was also determined to have violated HIPAA Rules by failing to implement adequate policies concerning the receipt and removal of electronic devices containing ePHI into and out of its facilities and the movement of devices within its facilities. The lack of device and media controls was a violation of 45 C.F.R. § 163.310(d).

Despite having received technical guidance from OCR and determining that its use of portable electronic devices involved a high risk to the confidentiality, integrity, and availability of ePHI, URMC failed to implement encryption when this was an appropriate safeguard to prevent the exposure of ePHI. A violation of 45 C.F.R. § 164.31 2(a)(2)(iv). These HIPAA failures contributed to the impermissible disclosures of patients’ protected health information.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR Director. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

In addition to the financial penalty, URMC is required to adopt a corrective action plan covering all areas of noncompliance discovered during the OCR investigation. URMC will also be closely monitored by OCR for two years to ensure the corrective action plan is adhered to and URMC continues to comply with all HIPAA requirements.