HIPAA Horror Stories

Mobile Data: Don’t ignore the feds

one-minute read

A large New York State health system disregards mobile data warnings and pays a huge price.

When it comes to electronic patient health information (ePHI) and mobile data security, some folks never seem to learn their lessons.

Back in 2010, the University of Rochester Medical Center (URMC), one of New York State’s largest health systems, was warned that its lax data management systems were putting patient privacy at risk.

Almost 10 years ago, the Office for Civil Rights (OCR), the federal agency responsible for investigating Health Insurance Portability and Accountability Act (HIPAA) violations, discovered URMC had misplaced an unencrypted flash drive containing the private health records of some of its 26,000 patients.

That violation led to OCR offering URMC technical assistance to ensure such a breach never happened again.

Guess what?

Two mobile data breaches despite OCR warnings

Despite the 2010 warnings, in 2013 and 2017 URMC reported breaches involving the loss of yet another unencrypted flash drive AND an unencrypted laptop containing ePHI.

OCR’s investigation revealed that URMC failed to perform basic tasks associated with responsible mobile data management, leading to serious HIPAA violations. Those tasks include:

  • conducting an enterprise-wide risk analysis
  • implementing sufficient security measures
  • utilizing device and media controls
  • employing reasonable encryption and decryption technology

This time, OCR came down hard, forcing URMC to pay a whopping $3 million to settle the mobile data violations.

“When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect,” said OCR Director Roger Severino.

In addition to the monetary payment, URMC must undergo a comprehensive two-year corrective action plan requiring the Health System to:

  • conduct a risk analysis
  • develop a risk management plan
  • develop a plan to address changes to URMC’s security environment
  • revise its policies and procedures
  • provide privacy training

What’s your mobile device data encryption policy? If your answer is less-than-comforting, we’re here to help.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free