NEW YORK (Legal Newsline) – Attorney General Eric Schneiderman recently announced a settlement with the University Rochester Medical Center (URMC) over patient privacy due to a former employee allegedly sharing information without authorization.
Under the Health Insurance Portability and Accountability Act (HIPAA) settlement, the medical center will train its workforce on policies and procedures aimed at protecting patient health information. URMC must notify the attorney general of any future breaches and pay a $15,000 fine.
“This settlement strengthens protections for patients at URMC, and it puts other health care entities on notice that my office will enforce HIPAA data breach provisions,” Schneiderman said. “My office is committed to protecting patients’ private health information. Other medical centers, hospitals, health care providers, and health care entities should view this settlement as a warning, and take the time now to review and amend, as needed, their own policies and procedures to better protect private patient information.”
A data breach this spring prompted this settlement. A URMC nurse practitioner moved on from the medical center and allegedly gave Greater Rochester Neurology (GRN), her next employer, a list of more than 3,000 patients. GRN then used this list to send mail to the patients advising them to switch their health care.
Following calls from patients, URMC learned of the breach. The nurse practitioner was fired and GRN claimed to return or delete all information.
In 2009, state attorneys general were given power under the Health Information Technology for Economic and Clinical Health Act to enforce HIPAA rules, allowing them to seek civil actions against violators.