On November 5, 2019, the University of Rochester Medical Center (URMC) agreed to a corrective action plan and payment of $3 million due to the 2013 and 2017 loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively.
The apparent reason for the large fine was the fact that “in 2010, [the Office for Civil Rights (OCR)] investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.”
As with most OCR enforcement actions, there is typically an industry wide message with each large fine – in this case there are two, namely the failure to encrypt will simply no longer be tolerated and once given a pass by OCR be sure not to waste it.
UPDATE: December 3, 2019
In keeping with its apparent practice of announcing HIPAA violation resolutions in clusters, on November 7, 2019, OCR announced a $1.6 million penalty against the Texas Health and Human Services Commission for violations of the Privacy and Security Rules had between 2013 and 2017. The primary breach occurred when “an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials.” OCR also determined that in addition to the impermissible disclosure, there was a failure “to perform an accurate, thorough, and enterprise-wide risk analysis that meets the requirements of45 C.F.R. § 164.308(a)(l)(ii)(a) [Security Rule].” Interestingly, the OCR applied its new civil money penalty caps published in April.
And, on November 27, 2019, OCR revealed its enforcement settlement with a hospital network that sent bills to patients containing “the patient names, account numbers, and dates of service” of 577 other patients. Sentara Hospitals – based in Virginia and North Carolina, did not think such information was protected health information (PHI) and only notified the 8 patients where there was also a disclosure of treatment information. Given that Sentara “persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR”, it was stuck with a $2.175 million penalty. Given that PHI has been interpreted to include healthcare payment information linked to a specific individual, Sentara was obviously taking a chance when it ignored OCR’s advice. On the other hand, protected health information is expressly defined to mean “individually identifiable health information” so there was at least a colorable argument that payment information – even if related to the provision of healthcare, is not “health information” in any direct sense. 45 CFR § 160.401.
Providing some year-end advice that should also not be disregarded, on December 2, 2019, OCR released its Fall 2019 Cybersecurity Newsletter focusing on ransomware and how covered entities and business associates should apply the Security Rule as a mitigation tool against this threat.
These latest announcements were clustered to push one primary message, namely do not disregard explicit counsel from OCR given that when it comes to the OCR it most certainly holds a grudge when ignored. In addition, CE’s and BA’s are well advised to deploy an enterprise-wide risk analysis that determines whether there are out-facing vulnerabilities that should be patched. And finally, as shown by the significant amount assessed against the University of Rochester Medical Center, future disregard of encryption as a risk mitigation tool will likely lead to enhanced penalties going forward.