OCR’s Temper Flares: $3 Million HIPAA Penalty for Loss of Information of Just 43 Patients

Don’t poke the bear, the saying goes. The University of Rochester Medical Center (URMC) appears to have done just that, prompting the Office for Civil rights of the U.S. Department of Health and Human Services (OCR) to levy one of the largest HIPAA fines per patient in the history of HIPAA enforcement.

On November 5, 2019, OCR issued a press release announcing a settlement of a penalty proceeding for $3,000,000 for the loss of an unencrypted laptop and USB drive with the health information of 43 patients.  Per patient, this is one of the largest penalty settlements since HIPAA enforcement began.  And it’s worth noting that this hefty fine was a settlement, meaning the penalty could have been much higher following a full administrative proceeding (a fact that URMC no doubt feared).

What led to such a large penalty? Well, the bear (OCR) was clearly displeased by yet another data breach from yet another failure to encrypt a mobile device.  Worse, URMC itself had previously been investigated by OCR for a breach involving a lost, unencrypted flash drive. OCR, apparently, had had enough.

The penalty is far from the end of URMC’s woes, though. The Resolution Agreement settling the proceeding contains a Corrective Action Plan that will be very expensive and time-consuming to implement. Its terms include a new security risk analysis that must be shared with HHS (Health and Human Services), which can require remediation measures beyond those recommended in the assessment; design and implementation of a Risk Management Plan that, again, must be submitted to HHS for approval; implementation and distribution of new security and incident reporting policies and procedures; and training on the new protocols, where training materials and annual compliance reports must be submitted to and approved by HHS. Losses of protected information through failure to encrypt the devices holding that information  are not new yet seem to recur to an extent that recalls Yogi Berra’s observation of “déjà vu all over again.” This settlement shows that OCR is not amused and will continue to ramp up penalties on providers who fail to take elementary, inexpensive security steps like encryption to protect health information.

If you have questions abut how to reduce the risk of HIPAA and other security law and regulation violations, please contact Kenneth N. Rashbaum.