Recent 3.9 Million HIPAA Settlement Over Improper Disclosure of Research Participant PHI Highlights Need for HIPAA Compliance

On March 17, 2016, the Department of Health and Human Services Office for Civil Rights (OCR) announced a $3.9 million settlement with Feinstein Institute for Medical Research for potential violations of the HIPAA Security Rules. OCR began an investigation after Feinstein filed a breach report indicating that a laptop computer containing electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI at issue included research participant names, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and other medical information related to participation in a research study. In its investigation, OCR found that Feinstein’s security management process was insufficient “to address the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.”

Specifically, the OCR press release indicates that Feinstein:

  • Lacked policies and procedures for authorizing access to ePHI by its workforce members,
  • Failed to implement safeguards to restrict access to unauthorized users,
  • Lacked policies and procedures addressing the receipt and removal of laptops containing ePHI into and out of its facilities, and
  • Failed to implement proper mechanisms for safeguarding ePHI on electronic equipment procured outside of Feinstein’s standard acquisition process.

OCR enforcement efforts like the Feinstein settlement underscore the need for covered entities to have effective HIPAA compliance policies to ensure the standards of the Privacy and Security Rules are met.

Speak Your Mind