Last week, the University of Rochester Medical Center (URMC) reached agreement with the New York Office of the Attorney General (NYOAG) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $15,000 and adopting a substantial corrective action plan.

URMC experienced a HIPAA breach earlier this year.  In March 2015, while preparing to leave URMC for employment with Greater Rochester Neurology (GRN), a nurse practitioner obtained the contact information of 3,403 URMC patients she had formerly treated.  She provided this information to GRN, which sent letters to the patients advising them of the nurse’s departure and the option to seek treatment at GRN.  Upon receiving complaints from patients, URMC terminated the nurse and sent breach notifications to affected patients, the U.S. Department of Health and Human Services, and the media.  URMC also obtained a certification from GRN that all patient data involved had been returned or deleted.  Following the incident, URMC convened a task force to address issues regarding patient data in connection with departing and incoming employees.

As a result of the breach, in addition to agreeing to pay $15,000, URMC agreed to take certain corrective action measures.  Specifically, URMC agreed to: provide the NYOAG with the recommendations of its task force; provide the NYOAG with certain privacy, security, and breach notification policies and procedures; train its workforce; and notify the NYOAG of any known data breaches for 3 years.

This settlement is particularly notable because, since becoming empowered to enforce HIPAA in 2009, state attorneys have become increasingly more active with respect to exercising such authority.  This settlement has been added to Cooley’s “Select HIPAA Privacy and Security Enforcement Actions Tracker” that may be accessed on the right side of this page or under the “Resources” tab above.