Improper Disclosure of Research Information Results in $3.9 Million Settlement
On March 17, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that the Feinstein Institution for Medical Research (“Feinstein”) agreed to pay $3.9 million to resolve allegations that it violated the Health Insurance Portability and Accountability Act (“HIPAA”). The Feinstein settlement emphasizes the necessity of creating and implementing policies governing access to electronic protected health information (“ePHI”) and the removal of hardware containing ePHI from a worksite, as well as ensuring that the proper physical safeguards exist to protect laptops and other ePHI sources.
Feinstein is a New York not-for-profit corporation sponsored by Northwell Health, Inc. (“Northwell”). OCR’s investigation of Feinstein began after Feinstein reported a HIPAA breach in September 2012. Feinstein’s breach report stated that an unencrypted laptop containing ePHI was stolen from the car of a Feinstein employee. The laptop contained the ePHI of 13,000 individuals.
Following OCR’s investigation of Feinstein’s HIPAA breach report, OCR alleged Feinstein failed to do each of the following: (1) conduct a risk assessment to address potential risks and vulnerabilities to the ePHI held by Feinstein; (2) implement policies and procedures for granting access to ePHI; (3) implement physical safeguards for the laptop; (4) implement policies and procedures governing receipt and removal of hardware and electronic media that contain ePHI into and out of a facility; and (5) implement a mechanism to encrypt ePHI or ensure that an alternative measure to encryption was safeguarding the ePHI.
Feinstein and OCR entered into a Resolution Agreement and Corrective Action Plan (“CAP”) to resolve the allegations. In addition to the $3.9 million payment, Feinstein agreed to do the following as part of the three-year CAP:
- Conduct and submit to OCR a risk analysis that incorporates and takes inventory of all electronic equipment, data systems, and applications that contain, store, transmit or receive ePHI. This risk analysis is subject to amendment and modification until approved by OCR.
- Develop a management plan to address and mitigate security risks identified in the risk analysis. This management plan must be approved by OCR and must be revised until OCR’s concerns are addressed.
- Review privacy and security policies and procedures and submit the same to OCR for review and approval.
- Distribute policies and procedures to its workforce and obtain signed certifications that the employees understand and will abide by the policies and procedures.
- Update the policies and procedures at least once every twelve months.
- Develop training materials addressing the requirements of the privacy, security and breach notification rules and submit the same to OCR for review and approval.
As part of a thorough and substantive HIPAA compliance program, covered entities should have policies and procedures in place to: (1) identify the appropriate uses and disclosures of ePHI; (2) outline how ePHI is kept secure and managed; (3) govern how devices and media are protected and the ePHI contained in device and media is controlled; and (4) describe how encryption and decryption of ePHI should be applied.
OCR has been active with HIPAA enforcement activities and Saul Ewing continues to monitor these developments. The Feinstein settlement was the second settlement announced by OCR in a two-day period (March 16, 2016 and March 17, 2016). Other recent Saul Ewing articles about OCR HIPAA resolutions, including the settlement announced by OCR on March 16, 2016, may be found here:
Saul Ewing attorneys have extensive experience assisting covered entities and business associates with HIPAA Privacy Rule, Security Rule and Breach Notification Rule compliance. We routinely prepare HIPAA compliance protocols and assist covered entities and business associates with risk assessments. For more information on these matters, please contact the authors or the attorney at the firm with whom you are regularly in contact.