NY Attorney General HIPAA Fine for URMC

An attorney general HIPAA fine of $15,000 has been issued to University of Rochester Medical Center for a breach of patient privacy that occurred in March, 2015.

An OCR and Attorney General HIPAA Fine May Be Issued for a Breach of HIPAA Rules

It is not only Office for Civil Rights that is permitted to issue financial penalties for violations of HIPAA Rules. State attorneys general can also enforce HIPAA Privacy, Security, and Breach Notification Rules.

State attorneys general were given the power to assist OCR with the enforcement of Health Insurance Portability and Accountability Act Rules following the introduction of the HITECH Act in 2009, although few state AGs have chosen to do so. Action is sometimes taken against healthcare organizations that have exposed the data of patients, but the decision is taken to prosecute under state consumer protection laws rather than HIPAA.

The first attorney general HIPAA fine was issued by the Connecticut AGs office on July, 6, 2010. HealthNet Inc. was fined $250,000 for the loss of a hard drive containing the PHI of 1.5 million individuals. Since then, a number of states have opted to issue HIPAA fines, with the North Eastern states the most active. Connecticut, Massachusetts, Vermont, and now New York, have all taken action over HIPAA breaches that have affected state residents.

The University of Rochester Medical Center Data Breach

As previously reported, the University of Rochester medical center data breach occurred in March of this year. A nurse practitioner was due to leave her employment at URMC and take up a new position with a different healthcare provider. Before she left, she requested URMC provide her with a list of patients and URMC obliged. The nurse then took that list to her new employer, who sent letters to the patients confirming the nurse’s new position; offering them the opportunity to continue their care with the same nurse, in the new medical facility. The list was provided to ensure the level of care patients received from URMC would not suffer. In total, 3,403 individuals had their privacy violated.

Who Owns Patient Data?

Medical care may be provided by a nurse, or other healthcare professional; however, it is the healthcare facility that must implement controls to keep patient data secure.

Patients may choose to change healthcare provider to continue their treatment with a specific individual. Each patient has the right to receive medical care in the facility of their choosing. During the course of a consultation an individual can explain to a patient that they are changing employment, but nurses and other healthcare professionals are not permitted to take patient data with them when they leave for another employer.

The nurse in question disclosed patients’ PHI to her new employer, which breached HIPAA Rules. Action could be taken against the nurse, although the NY attorney general decided to take action against URMC for providing patient data to the nurse. URMC did take action following the breach to ensure that similar incidents would not occur in the future, but it was not enough to escape an attorney general HIPAA fine.

HIPAA Penalties for URMC

URMC has agreed to pay the attorney general HIPAA fine of $15,000, undergo a full review of policies and procedures by the OAG Task Force, adhere to strict reporting requirements for the next 3 years, and conduct further training of the workforce within 60 days. All new members of staff must also receive full training on HIPAA rules before being granted access to the PHI of patients.

The resolution agreement can be viewed here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.