The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it has arrived at a settlement with the Feinstein Institute for Medical Research for potential HIPAA violations stemming from a 2012 data breach. The Feinstein Institute has agreed to pay the OCR $3.9 million to settle the charges and has also agreed to adopt a corrective action plan (CAP) to address the issues raised during the OCR breach investigation.
The OCR explained that all HIPAA covered entities must comply with Health Insurance Portability and Accountability Act Rules, including research institutions. The same compliance standards must be maintained by all HIPAA covered entities. OCR Director Jocelyn Samuels explained that it is essential that research institutions comply with HIPAA Rules, saying “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
The New York-based Northwell Health-sponsored Feinstein Institute experienced a data breach in 2012 resulting in the exposure of research participants’ names, addresses, dates of birth, Social Security numbers, laboratory test results, medical diagnoses, and clinical information. In total, 13,000 individuals were impacted by the breach.
The breach occurred when the unencrypted laptop computer of a computer programmer was stolen from a vehicle. The employee had been tasked with organizing patients’ research data and had removed the laptop from the company premises and left it unattended in the locked vehicle.
The OCR conducted a full investigation into the data breach an identified a number of violations of HIPAA Rules. OCR investigators determined that the security management system at the Feinstein Institute was limited in scope and was “insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.”
The policies and procedures covering authorization of access to ePHI were insufficient and comprehensive policies had not been developed to control the movement of laptop computers into and out of the research institute’s facilities. The OCR also determined that adequate safeguards had not been put in place to ensure that ePHI was appropriately secured on electronic equipment procured outside the institute’s standard acquisition process.
The Feinstein Institute confirmed in a recent press release that all individuals affected by the data breach have been contacted and offered credit monitoring and credit protection services. No reports have been received to suggest that patients’ PHI have been used inappropriately. The Feinstein Institute has also implemented additional controls to keep ePHI secure and to prevent future data breaches.