The University of Rochester Medical Center has agreed to pay a $15,000 fine and educate its workers on health care privacy laws to settle a claim over an unauthorized release of patient data earlier this year, state Attorney General Eric Schneiderman said Tuesday.
In the May 2015 incident, a nurse practitioner who planned to leave URMC to join a private practice asked for and received files of 3,403 patients she had treated. She turned over the patient data to her new employer, which sent out letters telling patients that the nurse practitioner would be joining its practice and that they could seek future care there.
After some patients complained to the medical center, URMC investigated the breach and in a matter of days took action, suspending and then firing the nurse practitioner and informing affected patients that their information had been wrongly passed to a new provider.
Schneiderman’s office subsequently investigated the incident under a federal law empowering state attorneys general to enforce provisions of the federal Health Insurance Portability and Accountability Act.
URMC CEO Mark Taubman M.D. signed a settlement deal with state investigators last week.
“This settlement strengthens protections for patients at URMC, and it puts other health care entities on notice that my office will enforce HIPAA data breach provisions,” Schneiderman said this week.
Settlement terms give URMC 60 days to complete worker privacy-law training. The pact also calls for the university to report any breaches committed within the next three years to the attorney general.
(c) 2015 Rochester Business Journal. To obtain permission to reprint this article, call 585-546-8303 or e-mail email@example.com.