Just How Not “HIPAA Mandatory” Is Encryption?

In case you were ever wondering if your practice needs to encrypt its ePHI?

Let the $3 million HIPAA penalty paid last month by the University of Rochester Medical Center (URMC), one of the largest medical systems in NY State, serve as a warning.

The Department of Health and Human Services’ Office for Civil Rights (OCR) received breach reports in 2013 and 2017 when URMC lost an unencrypted flash drive and then had an unencrypted laptop stolen, after which they began investigating healthcare center.  Unfortunately for URMC, this wasn’t their first rodeo; OCR also investigated them after a report of a lost flash drive in 2010.  The OCR was much nicer back then; they provided technical assistance to the center, but apparently that didn’t stick… The newest investigation uncovered a multitude of HIPAA violations, including some that should have been fixed after the assistance they received in 2010.

But I thought Data Encryption was only RECOMMENDED?

Technically, that’s kind of right… It’s not deemed MANDATORY by HIPAA; however, there must be written notification of WHY it’s not necessary and there must be an alternative safeguard in place, after running a sufficient Risk Assessment.

Needless to say, URMC had neither.

The recent investigation verified that in fact, the ePHI of more than 40 patients was breached.  Not only that, but URMC also failed to run a satisfactory Risk Analysis.  So in addition to their hefty $3 million fine, they must also implement a comprehensive corrective plan to fix their non-compliance, and the OCR will be watching them.

In fact, OCR Director, Roger Severino, warned that “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

And he isn’t playing around.  Their were a total of six businesses fined for  HIPAA penalties in 2019 after failing to address issues previously uncovered by that OCR, and the fourth to fail to run a risk assessment.

Tisk, tisk.

How do I make sure my business isn’t next?

Is your company in danger of being fined by the OCR?  Have you run a Risk Assessment?  If so, is it good enough?

Schedule a free appointment with Craig to find out, or call us at 919-422-2607…  Unless you have a spare $3 million lying around?