HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Announces $3.9 Million Settlement with Feinstein Institute for Medical Research

OCR-logoThe Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million.

This is the second largest settlement amount agreed with OCR, behind the $4.8 million settlement with New York and Presbyterian Hospital and Columbia University in 2014. However, this is the largest amount paid by a single covered entity, beating last year’s 3.5 million settlement with Triple S Management Corporation. The news comes a day after OCR announced another large settlement – The $1.55 million paid by North Memorial Health Care.

Feinstein Institute for Medical Research is a not-for-profit biomedical research institute based in New York. Feinstein is sponsored by Northwell Health, Inc., the new name for North Shore Long Island Jewish Health System, a large 21-hospital and 450 practice health system based in Manhasset, NY.

The settlement stems from an investigation into a breach of 13,000 research participants’ data in 2012. As was the case with North Memorial Health Care, the breach involved the theft of an unencrypted laptop computer from an employee’s vehicle. In this instance, the unencrypted laptop computer was left on the back seat of a car in full view of anyone passing by. The laptop was stolen from the vehicle on September 2, 2012

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

fensteinThe laptop stored a wealth of data including research participants’ full names, addresses, dates of birth, medical diagnoses, lab test results, prescribed medications, medical data relating to the research study, and Social Security numbers.

The investigation into the data breach revealed a substandard security management process, and a catalogue of HIPAA Security Rule violations, summarized by OCR as being “insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”

Those violations included:

  • The impermissible disclosure of ePHI of 13,000 individuals (45 C.F.R. § 164.502(a))
  • An inaccurate and incomplete risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A))
  • A failure to implement policies and procedures governing access to the ePHI of research participants’ data by its workforce members (45 C.F.R. § 164.308(a)(4)(ii)(B))
  • A lack of physical safeguards to prevent the theft of data or accessing of ePHI by unauthorized individuals (45 C.F.R. § 164.310(c))
  • A lack of policies and procedures governing the removal of equipment used to store ePHi from its facilities, and control of equipment within the research facility. (45 C.F.R. § 163.310(d))
  • The failure to encrypt data or use another reasonable security measure to safeguard ePHI, together with a lack of documentation supporting the decision not to encrypt (45 C.F.R. § 164.312(a)(2)(iv))

In addition to paying the $3.9 million fine, Feinstein Institute for Medical Research was required to agree to adopt an extensive Corrective Action Plan (CAP) to address all HIPAA failures, and to implement new policies and procedures to ensure ePHI is properly protected in future.

According to the OCR announcement, “This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.” When announcing the settlement, OCR Director Jocelyn Samuels said “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The Decision Not to Encrypt ePHI Can Prove Costly

HIPAA does not demand the encryption of ePHI. Data encryption is only an addressable issue. However, a risk analysis must be conducted to determine if the confidentiality, integrity, and availability of e-PHI is at risk. If that risk analysis determines e-PHI is at risk of exposure, then data should be encrypted. If the decision is taken not to encrypt data, the covered entity is required to document the decision and the reasons why encryption was not deemed to be reasonable or appropriate. Alternative security measures must then be used to safeguard ePHI.

OCR has issued a number of hefty fines to organizations that have failed to encrypt laptops that have been removed from hospitals and healthcare facilities. Yet, each year numerous cases of laptop theft are reported to OCR, many of those involve the theft of unencrypted laptops from vehicles.

The substantial settlements announced this week should act as a warning to healthcare providers and other HIPAA covered entities. If the decision is taken not to encrypt data, and those data are subsequently stolen, the decision not to encrypt could prove to be very costly indeed. Potentially that cost could be far more in excess of the cost of encryption.

Full details of the Resolution Agreement and Corrective Action Plan can be downloaded/viewed on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.