OCR Sanctions Two Healthcare Organizations for Potential HIPAA Violations, Fines Total $5.5M | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OCR Sanctions Two Healthcare Organizations for Potential HIPAA Violations, Fines Total $5.5M

March 18, 2016
by Heather Landi
| Reprints
Click To View Gallery

This week, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced two significant settlements, totaling $5.5 million in fines, with healthcare organizations charged with violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

Feinstein Institute for Medical Research, a biomedical research institute affiliated with Northwell Health, Inc., formerly North Shore Long Island Jewish Health System, agreed to pay a $3.9 million settlement for potential HIPAA violations due to the disclosure of research participants’ protected health information (PHI) when a laptop was stolen from an employee’s car.

The latest sanction, announced on March 17, is the second by OCR in two days. On Wednesday, OCR announced that North Memorial Health Care of Minnesota, a health care system serving the Twin Cities and surrounding communities, agreed to a $1.55 million fine for potential HIPAA violations.

In the Feinstein Institute for Medical Research case, according to an OCR press release, Feinstein filed a breach report indicating that on September 2, 2012 a laptop computer containing the electronic PHI of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study.

“OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule,” OCR stated in the press release.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” OCR director Jocelyn Samuels said in a statement.  “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.” 

As part of the settlement, Feinstein agreed to undertake a substantial corrective action plan to bring its operations into compliance. 

In the case of North Memorial Health Care of Minnesota, the health system agreed to settle charges that it violated HIPAA privacy and security rules because it failed to enter into a business associate agreement with a major contractor and failed to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information, according to an OCR press release.

“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” Samuels said in a statement. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

OCR stated that it initiated an investigation of North Memorial following receipt of a breach report on September 27, 2011 in which the health system indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the ePHI of 9,497 individuals.

According to OCR, an investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf.

“North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial,” OCR stated. “The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure—including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.

In addition to the $1.55 million fine, North Memorial also is required to develop an organization-wide risk analysis and risk management plan and also has agreed to train appropriate workforce members on all newly developed or revised policies and procedures.

HHS offers model business associate agreement language at: http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html as well as guidance on conducting a HIPAA Risk Analysis: http://www.healthit.gov/providers-professionals/security-risk-assessment.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Healthcare Execs Anticipate High Cost Returns from Predictive Analytics Use

Healthcare executives are dedicating budget to predictive analytics, and are forecasting significant cost savings in return, according to new research from the Illinois-based Society of Actuaries.

Adam Boehler Tapped by Azar to Serve as Senior Value-Based Care Advisor

Adam Boehler, currently director of CMMI, has also been named the senior advisor for value-based transformation and innovation, HHS Secretary Alex Azar announced.

Vivli Launches Clinical Research Data-Sharing Platform

On July 19 a new global data-sharing and analytics platform called Vivli was unveiled. The nonprofit group’s mission is to promote, coordinate and facilitate scientific sharing and reuse of clinical research data.

Survey: More Effective IT Needed to Improve Patient Safety

In a Health Catalyst survey, physicians, nurses and healthcare executives said ineffective information technology, and the lack of real-time warnings for possible harm events, are key obstacles to achieving their organizations' patient safety goals.

Physicians Still Reluctant to Embrace Virtual Tech, Survey Finds

While consumers and physicians agree that virtual healthcare holds great promise for transforming care delivery, physicians still remain reluctant to embrace the technologies, according to a new Deloitte Center for Health Solutions survey.

Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.