In what seems to be an aggressive enforcement strategy by HHS/OCR, Feinstein Institute for Medical Research has agreed to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $3.9 million to settle potential violation of the HIPAA Privacy and Security Rules and will undertake a substantial corrective action plan to bring its operations into compliance. The fourth HIPAA violation fines in 2016(read the previous resolution agreements here) demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.
What is the specific HIPAA violation?
Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.
Subsequent investigation by OCR discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
HIPAA Violation Fines and Corrective Action Plan (CAP)
FIMR has agreed to pay HHS, the amount of $3.9 million. In addition, FIMR has entered into and agrees to comply with the Corrective Action Plan (“CAP”) which is provided for readers benefit below.
What could have been done differently?
FIMR, being supported by the leading hospital, should have encrypted the data in all the end devices. Encryption is the key to end device protection and in many cases considered as silver bullet as entities need not report if an encrypted end device is lost. Conducting periodic security risk assessment in addition de-identifying data could have easily prevented this issue from happening.
The resolution agreement and corrective action plan can be downloaded from the below link:
Need help to understand HIPAA regulations and to stay compliant?
Join our webinar on Security Best Practices to Protect Patient Data by Samudra Vijay of SamITSolutions.com on May 12th,2016 at 12noon.
To learn more about how EHR 2.0 can help your practice to comply and protect patient data, visit us at https://ehr20.com/services/hipaa-hitech-compliance-assurance/
Latest posts by EHR 2.0 (see all)
- HIPAA Complaint Process Infographic Released by HHS - July 15, 2019
- New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA - June 5, 2019
- California Consumer Privacy Act of 2018 – Bill Text - April 4, 2019