Skip to content

OCR Announces $3 Million HIPAA Settlement for Unencrypted Mobile Devices and $1.6 Million HIPAA Penalty for Unsecured Server



University of Rochester Medical Center Resolution Agreement (Oct. 30, 2019) and HHS Press Release (Nov. 5, 2019); Texas Health and Human Services Commission Notice of Final Determination (Oct. 25, 2019) and HHS Press Release (Nov. 7, 2019)

HHS’s Office for Civil Rights (OCR) has announced the outcome of two investigations involving violations of HIPAA’s privacy and security rules. First, OCR announced a resolution agreement with a medical center that impermissibly disclosed protected health information (PHI) through the loss of an unencrypted flash drive and the theft of an unencrypted laptop. OCR’s investigation revealed that the medical center had failed to conduct a proper risk analysis and had not implemented security policies and procedures to guard against the loss or theft of hardware and electronic media containing PHI. It further found that the medical center had continued to use unencrypted mobile devices despite its receipt of technical assistance from OCR following a prior, similar breach. The medical center agreed to pay $3 million and entered into a two-year corrective action plan requiring, among other things, a thorough risk analysis and risk management plan; updated policies and procedures addressing uses and disclosures of PHI, risk analysis and risk management, device and media controls, and encryption; workforce training; and oversight by HHS.

The second investigation resulted in the imposition of a $1.6 million civil monetary penalty against a state agency that reported it had inadvertently posted PHI of 6,617 individuals on a public server where a flaw in the software code allowed access without user credentials. The compromised data included names, addresses, Social Security and Medicaid numbers, and treatment and diagnosis information. Because of inadequate audit controls, the state agency was unable to determine how many unauthorized persons accessed the individuals’ PHI. After receiving OCR’s “Letter of Opportunity” and proposed penalty assessment, the state agency waived its right to a hearing. Thus, penalties were assessed for the impermissible disclosure of PHI, lack of access controls and audit controls, and failure to conduct an agency-wide risk analysis.

EBIA Comment: These two actions signal OCR’s continued emphasis on enforcement and provide useful insights into OCR’s approach to penalties. Although the medical center’s breaches may have affected comparatively few individuals, its failure to fix known risks, follow OCR’s technical assistance, or adopt the relatively basic safeguard of encryption undoubtedly increased the settlement amount. And calculation of the state agency’s penalty illustrates the impact of OCR’s recent reduction to the calendar-year penalty caps (see our Checkpoint article), which lowered this penalty by about $3 million. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XX.E. (“Civil Monetary Penalties”), and XXX (“Core Security Requirements”). See also EBIA’s Self-Insured Health Plans manual at Section XXXI (“HIPAA Privacy, Security, and EDI”). You may also be interested in our webinar “Nuts and Bolts of HIPAA Uses and Disclosures” (recorded on 7/25/19).


Contributing Editors: EBIA Staff.

More answers