Share this article on:
The Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million.
This is the second largest settlement amount agreed with OCR, behind the $4.8 million settlement with New York and Presbyterian Hospital and Columbia University in 2014. However, this is the largest amount paid by a single covered entity, beating last year’s 3.5 million settlement with Triple S Management Corporation. The news comes a day after OCR announced another large settlement – The $1.55 million paid by North Memorial Health Care.
Feinstein Institute for Medical Research is a not-for-profit biomedical research institute based in New York. Feinstein is sponsored by Northwell Health, Inc., the new name for North Shore Long Island Jewish Health System, a large 21-hospital and 450 practice health system based in Manhasset, NY.
The settlement stems from an investigation into a breach of 13,000 research participants’ data in 2012. As was the case with North Memorial Health Care, the breach involved the theft of an unencrypted laptop computer from an employee’s vehicle. In this instance, the unencrypted laptop computer was left on the back seat of a car in full view of anyone passing by. The laptop was stolen from the vehicle on September 2, 2012
The laptop stored a wealth of data including research participants’ full names, addresses, dates of birth, medical diagnoses, lab test results, prescribed medications, medical data relating to the research study, and Social Security numbers.
The investigation into the data breach revealed a substandard security management process, and a catalogue of HIPAA Security Rule violations, summarized by OCR as being “insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”
Those violations included:
- The impermissible disclosure of ePHI of 13,000 individuals (45 C.F.R. § 164.502(a))
- An inaccurate and incomplete risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A))
- A failure to implement policies and procedures governing access to the ePHI of research participants’ data by its workforce members (45 C.F.R. § 164.308(a)(4)(ii)(B))
- A lack of physical safeguards to prevent the theft of data or accessing of ePHI by unauthorized individuals (45 C.F.R. § 164.310(c))
- A lack of policies and procedures governing the removal of equipment used to store ePHi from its facilities, and control of equipment within the research facility. (45 C.F.R. § 163.310(d))
- The failure to encrypt data or use another reasonable security measure to safeguard ePHI, together with a lack of documentation supporting the decision not to encrypt (45 C.F.R. § 164.312(a)(2)(iv))
In addition to paying the $3.9 million fine, Feinstein Institute for Medical Research was required to agree to adopt an extensive Corrective Action Plan (CAP) to address all HIPAA failures, and to implement new policies and procedures to ensure ePHI is properly protected in future.
According to the OCR announcement, “This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.” When announcing the settlement, OCR Director Jocelyn Samuels said “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
The Decision Not to Encrypt ePHI Can Prove Costly
HIPAA does not demand the encryption of ePHI. Data encryption is only an addressable issue. However, a risk analysis must be conducted to determine if the confidentiality, integrity, and availability of e-PHI is at risk. If that risk analysis determines e-PHI is at risk of exposure, then data should be encrypted. If the decision is taken not to encrypt data, the covered entity is required to document the decision and the reasons why encryption was not deemed to be reasonable or appropriate. Alternative security measures must then be used to safeguard ePHI.
OCR has issued a number of hefty fines to organizations that have failed to encrypt laptops that have been removed from hospitals and healthcare facilities. Yet, each year numerous cases of laptop theft are reported to OCR, many of those involve the theft of unencrypted laptops from vehicles.
The substantial settlements announced this week should act as a warning to healthcare providers and other HIPAA covered entities. If the decision is taken not to encrypt data, and those data are subsequently stolen, the decision not to encrypt could prove to be very costly indeed. Potentially that cost could be far more in excess of the cost of encryption.
Full details of the Resolution Agreement and Corrective Action Plan can be downloaded/viewed on this link.