[ Wednesday, November 06, 2019 ]
URMC: University of Rochester Medical Center fined $3,000,000
Jeff [7:36 AM]
for failure to encrypt a laptop that was stolen in 2017 and a flash drive that was lost in 2013. That seems like an extreme fine, but there's more to the story. In 2010, URMC also lost an unencrypted flash drive. OCR did an investigation and, instead of fining them, gave them technical assistance, which undoubtedly included a plan to encrypt all portable devices. Obviously, URMC didn't take the assistance and the encryption plan to heart. The settlement agreement is here
Encryption is an addressable Security Rule standard, not a required one. However, encryption is close to being an industry standard; if you aren't using it, at least for portable devices, you better have a good explanation of why. Not just for the regulators, but for your constituents, your principals, and your patients: if URMC had encrypted that flash drive and laptop, they never would have to have reported the losses to OCR, there would have been no investigation, and there would have been no fine.
Blogger: HIPAA Blog - Edit your Template