Deeper Than the Headlines: In Case You Needed Any More Reasons to Conduct Your Annual Risk Analysis

The OCR recently published a press release, resolution agreement and corrective action plan it made with the University of Rochester Medical Center (URMC) which agreed to pay $3 million to the OCR, in large part because of lost mobile devices that were unencrypted.

Some Background

URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital. URMC is one of the largest health systems in New York State, employing over 26,000 individuals.

URMC filed breach reports with the OCR in 2013 and 2017, following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop. Following an investigation, the OCR revealed that URMC failed to:

  • Conduct an enterprise-wide risk analysis
  • Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
  • Utilize device and media controls
  • Employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so

The OCR also reported that, in 2010, they investigated URMC concerning a similar breach involving a lost, unencrypted flash drive and at the time, provided technical assistance to URMC. Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.

The OCR Director, Roger Severino said, “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

The Resolution Agreement

According to the resolution agreement, the OCR’s investigation additionally found:

  • The ePHI of 43 patients was disclosed when an unencrypted, personally-owned laptop used in the course of treatment, was stolen from a treatment facility.
  • URMC failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by URMC.
  • URMC failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • URMC failed to implement sufficient policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into, and out of, a facility and the movement of these items within the facility.
  • URMC failed to implement sufficient mechanisms to encrypt and decrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI.

URMC also agreed to a two-year corrective action plan. The corrective action plan calls for, but was not limited to, the following:

  • URMC shall conduct an accurate and thorough Risk Analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by URMC.
  • URMC shall develop a written risk management plan (or plans) sufficient enough to reduce risks and vulnerabilities to a reasonable and appropriate level, as required by the Security Rule ("Risk Management Plan"). The Risk Management Plan shall include a process and timeline for URMC implementation, evaluation, and revision.
  • URMC shall develop a process to evaluate any environmental or operational changes that affect the security of URMC ePHI.
  • URMC shall review and, to the extent necessary, revise its current Privacy and Security Rules Policies and Procedures based on the findings of the risk analysis and the implementation of the risk management plan.
  • URMC shall require a signed written or electronic initial compliance certification from appropriate members of the workforce stating that the workforce members have read, understand, and shall abide by the policies and procedures.
  • URMC shall provide training for appropriate workforce members and each appropriate workforce member shall certify, in writing or in electronic form, that she or he has received and understands the required training. The training certification shall specify the date on which training was received.

All course materials shall be retained, and URMC shall review the training annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during internal or external audits or reviews, and any other relevant developments.

There’s a lot we can learn from reading the resolution agreement and the corrective action plan. In essence, these documents strongly suggest every covered entity and business associate what the OCRs expectations consist of as they relate to HIPAA compliance.  Don’t wait until your organization is under investigation, be proactive in your HIPAA compliance efforts today by conducting a thorough HIPAA risk assessment.

Questions or Comments?