Feinstein Institute for Medical Research in $3.6 Million Settlement with OCR

by | Mar 19, 2016

Feinstein Institute for Medical Research has settled potential HIPAA violations for $3.9 million with the Department of Health and Human Services’ Office for Civil Rights.

This is the second largest settlement penalty agreed with OCR, just below the $4.8 million settlement with New York and Presbyterian Hospital and Columbia University in 2014. However, this is the largest amount paid by a single covered body, pipping last year’s 3.5 million settlement with Triple S Management Corporation. The announcement of the settlement comes a day after OCR revealed another large settlement – the $1.55 million figure paid by North Memorial Health Care.

Feinstein Institute for Medical Research is a not-for-profit biomedical research center located in New York. Feinstein is funded by Northwell Health, Inc., the new name for North Shore Long Island Jewish Health System, a large 21-hospital and 450 practice health system based around in Manhasset, NY.

This settlement arises from a review of the breach of 13,000 research participants’ data in 2012. As was the case with North Memorial Health Care, the breach an unencrypted laptop computer being illegally taken from an employee’s vehicle. In this instance, the unencrypted laptop device was left on the back seat of a car in clear vision of anyone passing by. The laptop computer was stolen from the vehicle on September 2, 2012

The laptop stored a large amount of data including research participants’ full names, addresses, dates of birth, medical diagnoses, lab test results, prescribed medications, medical data relating to the research study, and Social Security information.

The review into the data breach showed a substandard security management process, and a catalogue of HIPAA Security Rule breaches, summarized by OCR as being “insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”

Those breaches included:

  • The impermissible release of ePHI of 13,000 individuals (45 C.F.R. § 164.502(a))
  • An inaccurate and unfinished risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A))
  • A failure to put in place policies and procedures governing access to the ePHI of research participants’ data by its staff (45 C.F.R. § 164.308(a)(4)(ii)(B))
  • A lack of physical measures to prevent the theft of data or accessing of ePHI by unauthorized people (45 C.F.R. § 164.310(c))
  • A lack of policies and processes governing the removal of equipment utilized to store ePHi from its facilities, and control of equipment within the research center. (45 C.F.R. § 163.310(d))
  • The failure to properly encrypt data or use another appropriate security measure to safeguard ePHI, together with a lack of adequate documentation supporting the decision not to encrypt (45 C.F.R. § 164.312(a)(2)(iv))

Along with paying the $3.9 million fine, Feinstein Institute for Medical Research was required to agree to put in place a thorough Corrective Action Plan (CAP) to address all HIPAA failures, and to formulate new policies and procedures to ensure ePHI is properly protected from here on in.

According to the OCR official release “This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.” When announcing the agreement of the settlement, OCR Director Jocelyn Samuels said “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

Absence of Encryption in ePHI Can Prove Costly

HIPAA does not make the encryption of ePHI obligatory. Data encryption is deemed an addressable issue. However, a risk analysis must be completed to determine if the confidentiality, integrity, and availability of e-PHI is at danger. If that risk analysis finds e-PHI is at risk of exposure, then data should be encrypted tp safeguard it. If the decision is taken not to use encryption on this data, the covered body is required to document the decision and the reasons why encryption was not found to be reasonable or appropriate. Alternative security safeguards must then be used to protect ePHI.

OCR has issued a number of heavy fines to organizations that have failed to encrypt laptop computers that have been removed from hospitals and healthcare centers. Yet, each year many cases of laptop theft are made known to OCR, many of those involve the theft of unencrypted laptops from cars.

The substantial settlements revealed this week should act as a warning to healthcare providers and other HIPAA covered bodies. If the decision is taken not to encrypt the personal data, and that data are then stolen, the decision not to encrypt could turn out to be very costly indeed. Potentially that cost could be far larger than the cost of encryption.

To view the Resolution Agreement and Corrective Action Plan click on this link.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy