(800) 570-5879

info@hipaaetool.com

Logo featuring thumbprint badge and text

HIPAA Horror Stories

Mobile Data: Don’t ignore the feds

  • by The HIPAA E-Tool®

Mobile Data: Don’t ignore the feds

one-minute read

A large New York State health system disregards mobile data warnings and pays a huge price.

When it comes to electronic patient health information (ePHI) and mobile data security, some folks never seem to learn their lessons.

Back in 2010, the University of Rochester Medical Center (URMC), one of New York State’s largest health systems, was warned that its lax data management systems were putting patient privacy at risk.

Almost 10 years ago, the Office for Civil Rights (OCR), the federal agency responsible for investigating Health Insurance Portability and Accountability Act (HIPAA) violations, discovered URMC had misplaced an unencrypted flash drive containing the private health records of some of its 26,000 patients.

That violation led to OCR offering URMC technical assistance to ensure such a breach never happened again.

Guess what?

Two mobile data breaches despite OCR warnings

Despite the 2010 warnings, in 2013 and 2017 URMC reported breaches involving the loss of yet another unencrypted flash drive AND an unencrypted laptop containing ePHI.

OCR’s investigation revealed that URMC failed to perform basic tasks associated with responsible mobile data management, leading to serious HIPAA violations. Those tasks include:

  • conducting an enterprise-wide risk analysis
  • implementing sufficient security measures
  • utilizing device and media controls
  • employing reasonable encryption and decryption technology

This time, OCR came down hard, forcing URMC to pay a whopping $3 million to settle the mobile data violations.

“When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect,” said OCR Director Roger Severino.

In addition to the monetary payment, URMC must undergo a comprehensive two-year corrective action plan requiring the Health System to:

  • conduct a risk analysis
  • develop a risk management plan
  • develop a plan to address changes to URMC’s security environment
  • revise its policies and procedures
  • provide privacy training

What’s your mobile device data encryption policy? If your answer is less-than-comforting, we’re here to help.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU