The Feinstein Institute for Medical Research has agreed to pay a fee to the United States Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) in the amount of $3.9 million as a court settlement against allegedinfractions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Like most OCR settlements, the penalty Feinstein will incur also includes a major corrective plan to ensure its future actions are brought into compliance.
OCR released a statement regarding the incident, emphasizing OCR’s steadfast resolve to enforcing HIPAA Privacy and Security Rules. OCR released in a press statement, “This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.”
According to OCR’s research, Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices.
OCR’s investigation began when Feinstein filed a breach report on September 2, 2012, in which a laptop holding the electronic protected health information of approximately 13,000 patients and research participants was stolen out of a Feinstein employee’s car.
The electronic protected health information that waswithin the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study. This large amount of protected health information available in such a vulnerable cache is nothing more than simple foolishness.
OCR’s investigation into Feinstein discovered their security protections we limited in scope and in size.Moreover, Feinstein did not have the properregulations and follow-through for ensuring that there is only authorized access to electronic protected health information. Specifically by its laborers whowere incapable of enactingprotections to halt any adulterated access to its files by unauthorized users. They also failed to possess policiesand procedures which prevent the breach of information via a laptop, because there would be a system of checking in and out such materials containing electronic protected health information.
For all electronic caches of electronic protected health information equipment which was acquiredexternally of Feinstein’s standard acquisition process, Feinstein did notenactsound and propersystems for guarding electronic protected health information as is required by the HIPAA Privacy and Security Rules
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
In sum, Feinstein’s gross error in maintaining the electronic protected health information of several thousand patients. However, this scenario could have easily been avoided with simple HIPAA Security training. The issue here was not a personnel issue but instead a procedural issue and policy issue.