Skip to content Skip to navigation

OCR Sanctions Two Healthcare Organizations for Potential HIPAA Violations, Fines Total $5.5M

March 18, 2016
by Heather Landi
| Reprints
Click To View Gallery

This week, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced two significant settlements, totaling $5.5 million in fines, with healthcare organizations charged with violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

Feinstein Institute for Medical Research, a biomedical research institute affiliated with Northwell Health, Inc., formerly North Shore Long Island Jewish Health System, agreed to pay a $3.9 million settlement for potential HIPAA violations due to the disclosure of research participants’ protected health information (PHI) when a laptop was stolen from an employee’s car.

The latest sanction, announced on March 17, is the second by OCR in two days. On Wednesday, OCR announced that North Memorial Health Care of Minnesota, a health care system serving the Twin Cities and surrounding communities, agreed to a $1.55 million fine for potential HIPAA violations.

In the Feinstein Institute for Medical Research case, according to an OCR press release, Feinstein filed a breach report indicating that on September 2, 2012 a laptop computer containing the electronic PHI of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study.

“OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule,” OCR stated in the press release.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” OCR director Jocelyn Samuels said in a statement.  “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.” 

As part of the settlement, Feinstein agreed to undertake a substantial corrective action plan to bring its operations into compliance. 

In the case of North Memorial Health Care of Minnesota, the health system agreed to settle charges that it violated HIPAA privacy and security rules because it failed to enter into a business associate agreement with a major contractor and failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information, according to an OCR press release.

“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” Samuels said in a statement. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

OCR stated that it initiated an investigation of North Memorial following receipt of a breach report on September 27, 2011 in which the health system indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the ePHI of 9,497 individuals.

According to OCR, an investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf.

“North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial,” OCR stated. “The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure—including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1.55 million fine, North Memorial also is required to develop an organization-wide risk analysis and risk management plan and also has agreed to train appropriate workforce members on all newly developed or revised policies and procedures.

HHS offers model business associate agreement language at: as well as guidance on conducting a HIPAA Risk Analysis:



Insurers to CBO: Consider Private Insurers’ Data in Evaluations of Telemedicine

Eleven private insurers, including Aetna, Humana and Anthem, are urging the Congressional Budget Office (CBO) to consider the experience of commercial insurers when evaluating the impact of telemedicine coverage in Medicare.

AHRQ Developing New Patient Safety Surveillance Tool

With the aim of improving patient safety monitoring, the Agency for Healthcare Research and Quality (AHRQ) within the U.S. Department of Health and Human Services (HHS) is currently developing and testing an improved patient safety surveillance system.

Gates Foundation Awards $210M to UW's Population Health Initiative

The Bill and Melinda Gates Foundation is awarding $210 million to Seattle-based University of Washington’s Population Health Initiative, with the funds going toward the construction of a new building to serve as the initiative’s hub.

AHA Offers Interoperability Standards Recommendations to ONC

The American Hospital Association (AHA) has offered feedback to the ONC on the agency’s draft Interoperability Standards Advisory (ISA) that it issued in August.

Survey: Healthcare Orgs Not Taking Mobile Security Seriously Enough

More than half (56 percent) of healthcare professionals believe their organization could be doing more to educate employees on HIPAA compliance and the rules around sharing protected health information.

Mount Sinai’s Research Arm Using Data Analytics to Address Health Inequities

The Arnhold Institute for Global Health at the Icahn School of Medicine at Mount Sinai is partnering with DigitalGlobe to create the Health Equity Atlas Initiative (ATLAS), a platform that standardizes and maps population data in order to generate insights that address health inequities.