University of Rochester Medical Center in New York has agreed to pay HHS' Office for Civil Rights $3 million in one of the biggest HIPAA fines this year.
The OCR imposed the fine on University of Rochester Medical Center in response to multiple instances of the health system failing to encrypt mobile devices.
"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," OCR Director Roger Severino said in a statement Tuesday.
In 2017, the health system reported a breach of patients' protected health information to the OCR after discovering the loss of an unencrypted laptop, the agency said. Four years earlier, in 2013, URMC had similarly reported a breach to the agency after the loss of an unencrypted flash drive.
"Potentially affected patients were notified at the time both of these incidents occurred, and we have no reason to believe that any patient's personal health information was misused," a URMC spokesperson said in a statement. "The medical center is deeply committed to protecting patient privacy, and we continuously improve our IT security safeguards and staff training to reduce the risk of a privacy breach."
OCR's investigation into the incidents found that URMC had neglected to utilize device controls and employ encryption for electronic protected health information, among other security measures. The health system had also failed to conduct a systemwide risk analysis, the agency said.
That's despite the fact that, in 2010, the OCR had investigated URMC for another breach involving the loss of an unencrypted flash drive.
"When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect," Severino said in the statement.
In addition to the monetary settlement, the University of Rochester Medical Center will also implement a corrective action plan, which includes HHS monitoring the health system's compliance with HIPAA for two years.
URMC's fine is tied for the largest settlement announced by the OCR this year. Last month, the OCR slapped the Jackson Health System with a $2.1 million fine after an investigation revealed three separate HIPAA violations since 2013.
Touchstone Medical Imaging also agreed to pay the OCR $3 million in May, after the diagnostic medical imaging services company reportedly exposed more than 300,000 patients' protected health information by not adequately restricting access to information on one of its servers.