A New York biomedical research institute will pay $3.9 million to settle potential HIPAA violations, making this one of the largest fines ever levied in the wake of a HIPAA security breach. The fine comes after allegations that the Feinstein Institute for Medical Research, a large health system headquartered in Manhasset, NY, allowed a laptop containing protected health information (PHI) to be stolen from the backseat of an employee’s car.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) began an investigation in September of 2012 after Feinstein reported the theft of the unencrypted, password-protected laptop. The laptop contained electronic health records (EHR) that included the names, Social Security numbers, and medical information of about 13,000 people including patients and research participants.
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director, Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
During its investigation, OCR concluded that Feinstein’s security measures were limited and incomplete with regards to the potential risks of confidentiality. It also lacked the necessary policies and procedures to safeguard against unauthorized user-access, and it failed to monitor the transportation of laptops containing EHR.
OCR said that Feinstein will undertake a “substantial” corrective action plan (CAP) to bring its operations into compliance with EHR security measures. As part of this plan, Feinstein must analyze the risks to all its electronic equipment and applications and develop a risk management strategy to address any security risks.
Following the theft, Feinstein implemented corrective measures including contacting those whose PHI was on the laptop to inform them of the breach. It also provided credit monitoring and created a corrective and preventative action plan that will improve and increase training and oversight, policy enhancement, deployment of technical safeguards, security analysis, and disciplinary action within Feinstein for employees who fail to comply with these new policies and procedures.
Feinstein has stated that there have been no reports of unauthorized access to, or use of, the EHR on the stolen laptop, and that no harm has come to research participants in the wake of the theft.
The Feinstein settlement follows a recent $1.5 million agreement that OCR reached with the North Memorial Health Care System following a report that an unencrypted, password-protected laptop had been stolen from an employee’s vehicle. These two cases demonstrate the growing importance of protecting PHI in the digital age. By implementing the proper safeguards and effective policies and procedures to prevent unauthorized users from accessing patient information, fines can be avoided and PHI can be kept secure.