- Feinstein Institute for Medical Research will pay $3.9 million in a HIPAA settlement with the Department of Health and Human Services (HHS) for a health data breach that occurred in September 2012, reports (HHS).
The OCR stresses that research institutions must comply with HIPAA Rules just like all other HIPAA-covered entities.
Feinstein Institute is a research facility sponsored by New York-based Northwell Health Inc., a healthcare system that contains 21 hospitals and over 450 patient facilities and physician practices.
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said Jocelyn Samuels, Director of OCR. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
The health data breach reportedly occurred when a computer programmer’s laptop was stolen from a car. The employee was responsible for organizing research data.
The laptop contained ePHI, such as names, dates of birth, addresses, Social Security numbers, diagnoses, laboratory results, medications, and medical information for potential participants. The Office of Civil Rights (OCR) reported that 13,000 individuals were potentially affected by the data breach.
According to OCR’s investigation, the Feinstein Institute’s security management system was “limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.”
The OCR discovered that the Feinstein Institute also did not have appropriate policies and procedures for authorizing access to ePHI, including a lack of safeguards to restrict access to unauthorized users. The Feinstein Institute also did not have comprehensive policies for controlling the physical movement of laptops containing ePHI into and out of its facilities. In particular, the institute did not establish proper safeguards for ePHI on electronic equipment that was acquired outside of the research facility.
Feinstein Institute announced in a recent press release that it has worked on improving health data security. It has communicated with individuals whose information may have been breached and offered them credit monitoring. Feinstein Institute also created a call center to address concerns about the potential violation.
To increase data security, Feinstein Institute has taken steps to implement a five-part corrective and preventative action plan to increase the following areas:
1) training and oversight
2) policy enhancement
3) deployment of additional technical safeguards
4) analysis of security posture
5) disciplinary action
The research facility reported that there have been no cases of unauthorized access or use of the ePHI on the laptop.
In light of this case, OCR reminds research institutions that they need to be aware of HIPAA regulations to ensure PHI and other health information is protected by the necessary safeguards. This case is a clear violation of physical and technical safeguards.
HHS states that physical safeguards involve protecting information systems, buildings, and equipment from potential environmental hazards and unauthorized access. Covered entities need to create policies that govern the physical movement of information systems, like laptops, to comply with HIPAA Rules.
It becomes more challenging to ensure physical safeguards are in place as more researchers and healthcare providers use their own devices.
Technical safeguards are policies and procedures that dictate how technology needs to be used in a secure way. Some examples include data encryption and multi-factor authentication. Covered entities also need to restrict access of PHI to only authorized personnel.
As seen in this case, an OCR investigation into alleged HIPAA violations can cost facilities millions of dollars. HHS also reminds all HIPAA-covered entities that potential violations can cost facilities their reputation. Individuals need to trust that research institutions, like Feinstein, are keeping their health information safe and secure.