HIPAA Enforcement Activities in November 2019

November 2019 saw the issuance of three financial penalties on HIPAA-covered entities to settle HIPAA violations.

University of Rochester Medical Center (URMC) paid $3,000,000 to OCR to resolve its HIPAA violation case. OCR started investigating URMC after getting two breach notifications involving missing or stolen devices. In 2010, OCR investigated URMC after losing the first device and offered the medical center technical support. Back then, URMC knew that keeping ePHI on devices entails a high risk and so encryption is deemed necessary. However, there was no implementation of needed controls by URMC and the center continued using unencrypted portable electronic devices. The next time OCR investigated URMC was after the laptop computer theft, the investigators determined that URMC failed in 3 things: to perform a company-wide risk analysis, to reduce risks to a reasonable and proper level, and to implement the required device media controls.

Sentara Hospitals decided to resolve its HIPAA violations by paying OCR $2,175,000. OCR started a compliance investigation after getting a patient’s complaint in April 2017. The complaint was about a bill the patient received from Sentara that contains the protected health information (PHI) of another patient. Sentara Hospitals’ breach report stated that the breach only affected 8 persons, however, OCR learned that 577 letters were erroneously sent to 16,342 different guarantors. Sentara Hospitals declined to correct its breach report with the new figure. OCR additionally discovered Sentara Hospitals’ failure to sign a business associate agreement with one vendor.

The Texas Department of Aging and Disability Services (DADS) was issued a sizeable financial penalty. In 2015, DADS reported to OCR a breach affecting 6,617 patients’ ePHI. A problem in a web app allowed unauthorized people to view the patients’ ePHI over the internet. The ePHI as exposed for about 8 years. Upon investigation, OCR learned that DADS did not conduct a company-wide risk analysis, did not have adequate access controls, and did not monitor information system activity. The penalty paid by DADS to settle the HIPAA violation case amounted to $1.6 million.