In one of this year’s largest HIPAA settlements, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is set to collect $3 million from the University of Rochester Medical Center (URMC). This settlement over potential violations of the Privacy and Security Rules under HIPAA also requires URMC to follow a corrective action plan that includes two years of HIPAA compliance monitoring by OCR.

OCR’s investigation was prompted by a breach report in 2013 that an unencrypted flash drive had been lost and a breach report in 2017 that an unencrypted laptop had been stolen, both leading to the improper disclosure of patients’ protected health information (PHI). These reports followed a previous OCR investigation of URMC involving the loss of an unencrypted flash drive in 2010. Despite this investigation, OCR’s technical assistance, and the health system’s identification of unencrypted devices as a substantial risk to electronic PHI, URMC continued to use unencrypted devices. OCR’s investigation of the 2013 and 2017 breach reports showed that URMC had failed to conduct enterprise-wide risk analyses, utilize certain device and media controls, employ a mechanism to encrypt and decrypt electronic PHI where appropriate, and implement other security measures to reduce certain risks and vulnerabilities.

URMC’s failure to make these changes following a prior investigation of the same issue likely contributed to the high settlement amount in this case. Per OCR Director Roger Severino, “[when] covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.” This settlement demonstrates the importance of a compliance program that addresses both the hardware and software threats to patient privacy and data security; missteps like the loss or theft of an unencrypted device pose an equally significant threat to PHI as system breaches do.

Although encryption is not expressly required under the HIPAA Security Rule, it is now considered an industry standard. The Security Rule requires covered entities and business associates to address various safeguards, and either implement those safeguards or document why a safeguard is not reasonable and appropriate for the organization. OCR specifically noted that URMC failed to either implement sufficient encryption mechanisms or document why encryption was not reasonable and appropriate. The URMC settlement indicates that failure to use encryption, without a clear and documented justification, is no longer acceptable under the Security Rule. “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” says Severino.

The OCR press release, resolution agreement, and corrective action plan may be accessed here.