Feinstein Institute for Medical Research has settled potential HIPAA violations for $3.9 million with the Department of Health and Human Services’ Office for Civil Rights.
This is the second largest settlement penalty agreed with OCR, just below the $4.8 million settlement with New York and Presbyterian Hospital and Columbia University in 2014. However, this is the largest amount paid by a single covered body, pipping last year’s 3.5 million settlement with Triple S Management Corporation. The announcement of the settlement comes a day after OCR revealed another large settlement – the $1.55 million figure paid by North Memorial Health Care.
Feinstein Institute for Medical Research is a not-for-profit biomedical research center located in New York. Feinstein is funded by Northwell Health, Inc., the new name for North Shore Long Island Jewish Health System, a large 21-hospital and 450 practice health system based around in Manhasset, NY.
This settlement arises from a review of the breach of 13,000 research participants’ data in 2012. As was the case with North Memorial Health Care, the breach an unencrypted laptop computer being illegally taken from an employee’s vehicle. In this instance, the unencrypted laptop device was left on the back seat of a car in clear vision of anyone passing by. The laptop computer was stolen from the vehicle on September 2, 2012
The laptop stored a large amount of data including research participants’ full names, addresses, dates of birth, medical diagnoses, lab test results, prescribed medications, medical data relating to the research study, and Social Security information.
The review into the data breach showed a substandard security management process, and a catalogue of HIPAA Security Rule breaches, summarized by OCR as being “insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”
Those breaches included:
- The impermissible release of ePHI of 13,000 individuals (45 C.F.R. § 164.502(a))
- An inaccurate and unfinished risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A))
- A failure to put in place policies and procedures governing access to the ePHI of research participants’ data by its staff (45 C.F.R. § 164.308(a)(4)(ii)(B))
- A lack of physical measures to prevent the theft of data or accessing of ePHI by unauthorized people (45 C.F.R. § 164.310(c))
- A lack of policies and processes governing the removal of equipment utilized to store ePHi from its facilities, and control of equipment within the research center. (45 C.F.R. § 163.310(d))
- The failure to properly encrypt data or use another appropriate security measure to safeguard ePHI, together with a lack of adequate documentation supporting the decision not to encrypt (45 C.F.R. § 164.312(a)(2)(iv))
Along with paying the $3.9 million fine, Feinstein Institute for Medical Research was required to agree to put in place a thorough Corrective Action Plan (CAP) to address all HIPAA failures, and to formulate new policies and procedures to ensure ePHI is properly protected from here on in.
According to the OCR official release “This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.” When announcing the agreement of the settlement, OCR Director Jocelyn Samuels said “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
Absence of Encryption in ePHI Can Prove Costly
HIPAA does not make the encryption of ePHI obligatory. Data encryption is deemed an addressable issue. However, a risk analysis must be completed to determine if the confidentiality, integrity, and availability of e-PHI is at danger. If that risk analysis finds e-PHI is at risk of exposure, then data should be encrypted tp safeguard it. If the decision is taken not to use encryption on this data, the covered body is required to document the decision and the reasons why encryption was not found to be reasonable or appropriate. Alternative security safeguards must then be used to protect ePHI.
OCR has issued a number of heavy fines to organizations that have failed to encrypt laptop computers that have been removed from hospitals and healthcare centers. Yet, each year many cases of laptop theft are made known to OCR, many of those involve the theft of unencrypted laptops from cars.
The substantial settlements revealed this week should act as a warning to healthcare providers and other HIPAA covered bodies. If the decision is taken not to encrypt the personal data, and that data are then stolen, the decision not to encrypt could turn out to be very costly indeed. Potentially that cost could be far larger than the cost of encryption.
To view the Resolution Agreement and Corrective Action Plan click on this link.