The New York attorney general recently entered into a settlement agreement with the University of Rochester Medical Center (URMC) for HIPAA violations. The enforcement action by New York comes on the heels of a HIPAA enforcement action by the Connecticut attorney general in early November 2015.  Prior to the Health Information Technology for Economic and Clinical Health (HITECH) Act, only the federal government could enforce HIPAA.

In March 2015, a nurse practitioner was preparing to leave URMC for a position at Greater Rochester Neurology (GRN).  Before leaving, the nurse practitioner asked URMC for and was given a list of the 3,403 patients she had treated while at URMC. The list also included patient addresses and diagnoses. The nurse practitioner gave the list to GRN without obtaining consent from the patients. While the nurse was still at URMC, GRN mailed letters to the patients on the list announcing that the nurse practitioner would be joining the group and that the patients could continue to receive treatment from the nurse practitioner at GRN. Shortly thereafter URMC began receiving complaints from patients who received the letters and URMC reported the breach to the U.S. Department of Health and Human Services and the media and notified all individuals.

The settlement requires URMC to pay a $15,000 penalty, provide the New York attorney general with copies of its HIPAA policies and procedures, provide training to its workforce members and report to the New York attorney general all HIPAA breaches.