September 22, 2020

Volume X, Number 266

September 22, 2020

Subscribe to Latest Legal News and Analysis

September 21, 2020

Subscribe to Latest Legal News and Analysis

$3 Million OCR HIPAA Settlement Due to Lost Flash Drive and Stolen Laptop

The University of Rochester Medical Center (URMC) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Service (HHS) entered into a $3 million no-fault settlement agreement and two year corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

In May 2013, URMC notified OCR regarding a breach of unsecured electronic protected health information (ePHI) stemming from the loss of a flash drive. OCR did not note the total number of individuals affected by the lost flash drive. Later in January 2017, URMC notified OCR about another breach of unsecured ePHI as a result of the theft of a laptop personally owned by one of URMC’s resident surgeons that contained 43 patients’ ePHI. OCR’s investigations into these two incidents revealed that URMC failed to:

1. Conduct a thorough and accurate risk assessment of the potential risks and vulnerabilities to the ePHI held by URMC;

2. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;

3. Implement sufficient policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within a facility; and

4. Implement sufficient mechanisms to encrypt and decrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement equivalent alternative measures to encryption to safeguard ePHI.

This is one of the largest settlement amounts that OCR has agreed to this year. The settlement serves as a reminder to health care businesses to implement sufficient policies and procedures to ensure the security of employee devices and media.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume IX, Number 315


About this Author

Sumaya Noush, Drinker Biddle Law Firm, HealthCare Attorney

Sumaya Noush counsels health care clients on strategic and operational matters including transactions, corporate governance, and regulatory compliance. She helps her clients navigate the daily challenges of running their operations while identifying opportunities for growth in today’s rapidly evolving and highly competitive health care market.

Sumaya previously served as a law clerk for Drinker Biddle, an instructor at Yale’s Bioethics Institute where she taught a seminar on FDA law and medical ethics, and a Visiting Scholar at...