This week, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced two significant settlements, totaling $5.5 million in fines, with healthcare organizations charged with violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
Feinstein Institute for Medical Research, a biomedical research institute affiliated with Northwell Health, Inc., formerly North Shore Long Island Jewish Health System, agreed to pay a $3.9 million settlement for potential HIPAA violations due to the disclosure of research participants’ protected health information (PHI) when a laptop was stolen from an employee’s car.
The latest sanction, announced on March 17, is the second by OCR in two days. On Wednesday, OCR announced that North Memorial Health Care of Minnesota, a health care system serving the Twin Cities and surrounding communities, agreed to a $1.55 million fine for potential HIPAA violations.
In the Feinstein Institute for Medical Research case, according to an OCR press release, Feinstein filed a breach report indicating that on September 2, 2012 a laptop computer containing the electronic PHI of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study.
“OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule,” OCR stated in the press release.
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” OCR director Jocelyn Samuels said in a statement. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
As part of the settlement, Feinstein agreed to undertake a substantial corrective action plan to bring its operations into compliance.
In the case of North Memorial Health Care of Minnesota, the health system agreed to settle charges that it violated HIPAA privacy and security rules because it failed to enter into a business associate agreement with a major contractor and failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information, according to an OCR press release.
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” Samuels said in a statement. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
OCR stated that it initiated an investigation of North Memorial following receipt of a breach report on September 27, 2011 in which the health system indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the ePHI of 9,497 individuals.
According to OCR, an investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf.
“North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial,” OCR stated. “The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure—including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.
In addition to the $1.55 million fine, North Memorial also is required to develop an organization-wide risk analysis and risk management plan and also has agreed to train appropriate workforce members on all newly developed or revised policies and procedures.
HHS offers model business associate agreement language at: http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html as well as guidance on conducting a HIPAA Risk Analysis: http://www.healthit.gov/providers-professionals/security-risk-assessment.