HHS is coming down hard on the fines!

The University of Rochester Medical Center (URMC) has agreed to pay $3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

#Chousangle - This is an area where, on the surface, it looks like an easy fix where every device such as a thumb drive and laptop should be encrypted. Encryption of the device is the easier part. The challenge comes down to setting up a security program, as stated in the correction action agreement.

A third party consulting entity will conduct the risk analysis to identify the gaps. Once you have the gaps identified, the technical debt on the network infrastructure will be identified.

  1. Will budget be allocated to support the next generation secured infrastructure or will the health system take 3-5 years on the infrastructure redesign and implementation, creating a constant state of hardware refresh?

  2. Enterprise risk needs an organizational owner. Who is accountable for enterprise risk? This has to be the COO or someone leading operations and not the CIO.

  3. An important key area is to design a security program, including the right governance structure vs. checking off the box on the audit.

  4. Will research institutions comply with the organization's security protocol?

  5. How will we hold employees accountable for failing to comply with the security guidelines?

These are just a few notes off the top of my head. What are your thoughts?




  • Grey Facebook Icon
  • Grey Twitter Icon
  • Grey Instagram Icon

ABOUT David Chou

David Chou serves as the SVP/CIO for a public academic health system.  Chou has held executive roles with the Cleveland Clinic, Children's Mercy Hospital, University Of Mississippi Medical Center, AHMC Healthcare, and Prime Healthcare.  

David is a dynamic keynote speaker and industry commentator working with clients to transform their business models using technology. He has spoken around the world at healthcare tech-related conference including keynotes for leading industry events and intimate executive settings. Chou is also one of the most mentioned CIOs in the media and well quoted in outlets such as the Wall Street Journal, Modern Healthcare, HIMSS Media, ZDNet, CIO.com, Huffington Post, and Becker's Healthcare.  David is an active member of both ACHE and HIMSS while serving on the board for CHIME. 



 Subscribe now to receive the new updates.