OCR Investigates North Memorial Health System of Minnesota and Feinstein Institute for Medical Research for Missing Laptop, Discovers Rampant Privacy and Security Violations for a combined $5.55 Million Settlement
On March 17, 2016 the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a settlement with the North Memorial Health System of Minnesota for $1.55 million after it improperly disclosed the protected health information (PHI) of almost 300,000 patients over the course of five months during 2011. On Thursday a larger fine of 3.9 million went to Feinstein Institute for Medical Research.
In September of 2011, North Memorial reported that a laptop containing the electronic PHI (ePHI) of 6,697 patients had been stolen in July of 2011. During the course of OCR’s investigation, North Memorial also reported several other violations, including the fact that the organization didn’t have a documented business associate agreement (BAA) with its billing company, Accretive, from March of 2011 through October of 2011. At that point, a BAA was finally provided, but the lapse had already resulted in the unlawful disclosure of the PHI of at least 289,904 patients from March to October while the BAA was not in place.
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of OCR. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
OCR determined that North Memorial had violated the HIPAA Privacy and Security Rules by allowing Accretive access to PHI, both electronic and physical, without a proper BAA in place. The Privacy and Security Rules also mandate that covered entities complete a risk analysis that addresses risks to ePHI, which North Memorial had also neglected to implement.
North Memorial has agreed to develop an intensive risk analysis and risk management plan that must be completed and reviewed within 180 days. New training initiatives also need to be extended to all employees as well, so that they can familiarize themselves with the new policies and procedures created as a result of the corrective action plan.
Additionally, a breach report filed on September 2, 2012 by the Feinstein Institute for Medical Research prompted another investigation. Officials at Feinstein reported that a laptop had been stolen from an employee’s car that contained the ePHI of 13,000 patients, including names, dates of birth, social security numbers, and other medical information. OCR found that Feinstein lacked the required policies and procedures under HIPAA regulation that would have implemented safeguards to restrict access by unauthorized users.
Even though OCR had originally been called in for the missing laptop, North Memorial and Feinstein were handed two of the largest fines in the history of HIPAA enforcement for an entirely unrelated–but equally serious–violation. OCR is taking new enforcement to serious heights through stricter settlements and sentencing, especially when PHI breaches affect this many individuals. Business associates and covered entities alike are beholden to the same compliance standards. Implementing and maintaining effective business associate agreements is more pressing now than ever before.