Printer Friendly, PDF & Email

As MD Anderson Keeps Up Its Legal Fight, U. Rochester Pays OCR $3M

Ah, those pesky residents. If you’re a teaching hospital, you can’t live without them, right? But sometimes living with them is mighty costly, as the University of Rochester Medical Center (URMC) was the most recent to discover.

Joining a long line of universities and other academic medical centers, URMC in November paid[1] the HHS Office for Civil Rights (OCR) $3 million to settle allegations that it committed five separate HIPAA violations. OCR cited the loss by two resident physicians of a USB drive (2013) and a laptop (2017) as the triggers for its enforcement action. The devices were unencrypted, which was an especially sore point for OCR—as was the fact that URMC was something of a repeat offender.

But just as URMC was agreeing to a multimillion-dollar payment and a two-year corrective action plan (CAP), the University of Texas MD Anderson Cancer Center was keeping up its fight against paying $4.358 million to OCR for nearly identical circumstances—losses of mobile devices and (alleged) lack of encryption. MD Anderson’s court appeal,[2] filed in April, is still awaiting a response from HHS, following a recently granted extension.

URMC’s breaches were small compared to the thousands—even millions—of records that have been inappropriately used or disclosed over time, but nonetheless proved expensive.

This document is only available to subscribers. Please log in or purchase access