Feinstein Institute for Medical Research has agreed to settle charges of improper disclosure of PHI with the Department of Health and Human Services’ Office for Civil Rights (OCR). A payment of $3.9 million will be made, with Feinstein also required to adopt a stringent corrective action plan to address a number of violations of HIPAA Rules discovered by OCR investigators.
Laptop Containing PHI Was Left On the Back Seat of a Car
OCR conducted an investigation into a data breach reported by Feinstein in September, 2012. An employee of Feinstein left an unencrypted laptop computer unattended on the back seat of a car, from where it was subsequently stolen. The laptop contained the protected health information of 13,000 individuals who were taking part in a research study.
A considerable amount of data was stored on the device, including the names of research participants along with dates of birth and Social Security numbers, home addresses, medical diagnoses and prescribed medications, lab test results, and medical information. The laptop computer was not recovered. Without encryption of data, the theft was likely to have involved the improper disclosure of PHI to unauthorized individuals.
OCR Uncovers Numerous HIPAA Violations
The investigation revealed numerous violations of the HIPAA Rules, notably the improper disclosure of PHI, a failure to conduct a thorough risk analysis, a failure to implement physical safeguards to secure PHI, a lack of policies to control devices used to store ePHI, a lack of controls over the accessing of ePHI by its workers, and the failure to encrypt PHI.
While encryption is only an addressable issue under HIPAA Rules, all covered entities must assess whether data encryption is reasonable and appropriate based on the level of risk of ePHI being exposed. If ePHI is not encrypted, another equivalent alternative measure must be used to ensure that ePHI is safeguarded. Not only was an alternative measure not employed, the reason for not encrypting data was not documented.
Improper Disclosure of PHI Results in Largest Ever HIPAA Penalty for a Single Covered Entity
The numerous HIPAA failures and scale of the breach warranted a substantial financial penalty. The penalty could have been considerably higher. For each violation category, OCR is permitted to issue a fine of up to $1.5 million.
This settlement may not be the largest ever HIPAA penalty to date, but it is the largest ever HIPAA settlement agreed with a single entity. New York and Presbyterian Hospital and Columbia University settled with OCR for $4.8 million in 2014 although the civil monetary penalties were shared between the two institutions. The $3.9 million settlement is therefore the largest penalty paid by a HIPAA covered entity to date for the improper disclosure of PHI.