By Jennifer B. Hagedorn, Esquire

The U.S. Department of Health and Human Services (HHS) recently announced two significant violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. In both cases, the access to unencrypted protected health information (PHI) had been impermissibly disclosed and the appropriate risk analysis protocols, audit controls and other protective measures were deemed inadequate. The result: $4.6 million dollars in penalties.

One of the largest health systems in the state of New York, The University of Rochester Medical Center (URMC), filed breach reports with the Office of Civil Rights (OCR) in 2013 and 2017 when it discovered that PHI had been disclosed through the loss of an unencrypted flash drive and the theft of an unencrypted laptop. The OCR investigated and determined that URMC failed to conduct enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt/decrypt electronic PHI. As a result of the findings, URMC agreed to pay the OCR a $3 million settlement and undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA rules.

The OCR imposed a $1.6 million civil money penalty against the Texas Health and Human Services Commission (TX HHSC), part of the Texas HHS system, for its violations of HIPAA Privacy and Security Rules. In 2015, a breach report was filed with OCR stating that the electronic PHI of 6,617 individuals was viewable over the internet, including names, addresses, social security numbers and treatment information. According to the report, the breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access without the need for credentials. In addition to the impermissible disclosure, OCR determined that the organization failed to conduct an enterprise-wide risk analysis and implement access and audit controls on its information systems and applications.

The Director of OCR, Roger Severino, was quoted regarding the serious nature of these violations. Regarding URMC's failure to properly encrypt, Mr. Severino explained "Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect." Regarding the violation by TX HHSC, Mr. Severino stated that "Covered entities need to know who can access protected health information in their custody at all times. No one should have to worry about their private health information being discoverable through a Google search."

The Bowles Rice Health Care group's Medical Records Privacy and Security team has signifcant experience advising covered entities and business associates regarding their HIPAA obligations, and our Cybersecurity and Information Privacy team regularly counsels clients on data privacy policies and procedures, risk assessment and more. For more information, contact a team member listed below.