URMC Fined $3 million for Failure in HIPAA Compliance
The University of Rochester Medical Center (URMC) was fined a lofty $3 million for negligence towards HIPAA compliance. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) found that URMC had violated HIPAA compliance on two separate counts taking place in 2013 and 2017. Both incidents involved unencrypted devices with protected health information (PHI) being breached.
In 2013, a USB flash drive containing multiple PHI records was lost. In response, OCR launched an investigation into URMC’s HIPAA compliance.
In 2017, a personal laptop containing 43 PHI records was stolen from the treatment facility. OCR was forced to carry out a HIPAA compliance audit of URMC in response to the incident. During the audit, OCR found that URMC, in both incidents, had failed in multiple parameters including risk analysis, security measures, security policies implementation, and device and media encryption.
Along with the $3 million fine, URMC was directed by OCR to undertake a corrective action plan which includes two years of monitoring their ability to comply with HIPAA regulations.