Medicare Compliance & Reimbursement

Mobility drives healthcare today; it’s just that simple. Handy devices promote efficiency and are easy to use. But, laptops, cell phones, and tablets are ripe for the taking and easy to lose — and that’s become a big problem for covered entities (CEs), amounting to big penalties and hefty settlements for the loss of electronic protected health information (ePHI).

For example: In 2013 and 2017, the University of Rochester Medical Center (URMC) in New York filed breaches for a lost unencrypted flash drive and stolen unencrypted laptop respectively, according to an HHS Office for Civil Rights (OCR) release. 

Upon investigation, OCR uncovered a laundry list of compliance issues, including risk analysis fails, security measure snafus, lackluster mobile device management (MDM), and encryption problems. Additionally, URMC was already on OCR’s radar after a 2010 investigation showed the organization had previously failed to implement encryption on its mobile devices.

Result: To rectify its substantial compliance issues, URMC settled potential violations with OCR for $3 million. The large teaching hospital system, which employs over 26,000 individuals, also agreed to a corrective action plan (CAP) and two years of OCR monitoring, notes the release. 

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” says OCR director Roger Severino in the brief. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

Read more about URMC’s settlement, CAP, and monitoring at  www.hhs.gov/about/news/2019/11/05/failure-to-encrypt-mobile-devices-leads-to-3-million-dollar-hipaa-settlement.html.