Research Institute Breach Results in $3.9 Million SanctionSecond HIPAA Settlement This Week Tied to a Laptop Theft Incident
Federal regulators have smacked a New York-based medical research institute with a $3.9 million penalty following a breach involving the theft of an unencrypted laptop containing data about several thousand patients and participants in a research project.
In a March 17 statement, the Department of Health and Human Services' Office for Civil Rights says Feinstein Institute for Medical Research, Manhasset, N.Y., agreed to pay $3.9 million to settle potential HIPAA violations. The resolution agreement also includes "a substantial corrective action plan" to bring the research institute's operations into compliance, OCR says. The HIPAA enforcer's key areas of concern included insufficient security management processes, policies and procedures.
Of more than 30 resolution agreements issued by OCR since 2008, this is the first involving a research institute. The settlement announcement is the second revealed this week and the fourth enforcement action so far this year. On March 16, the HIPAA enforcement agency announced another settlement tied to a breach involving a stolen laptop. In that case, North Memorial Healthcare was hit with a $1.55 million penalty after a breach investigation tied to the theft of a laptop at its business associate, Accretive Health.
The agency notes that the Feinstein Institute case "demonstrates OCR's commitment to promoting the privacy and security protections so critical to build and maintain trust in health research."
Feinstein Institute is a not-for-profit biomedical research sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, which includes 21 hospitals and more than 450 patient facilities and physician practices.
OCR says its investigation began after Feinstein Institute filed a breach report indicating that on Sept. 2, 2012, a laptop computer containing the electronic PHI of approximately 13,000 patients and research participants was stolen from an employee's car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, Social Security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study, OCR says.
OCR investigators discovered that "Feinstein's security management process was limited in scope, incomplete and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity," the office says.
"Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities," according to OCR. For electronic equipment procured outside of Feinstein Institute's standard acquisition process, Feinstein Institute failed to implement proper mechanisms for safeguarding ePHI as required by the HIPAA Security Rule, OCR notes.
"Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities," said OCR Director Jocelyn Samuels in a statement. "For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure."
Feinstein Institute Response
In a statement, Feinstein Institute says, "Subsequent to the theft in 2012, the Feinstein Institute worked diligently to take corrective measures, which included communicating with participants whose information was on the laptop, providing credit monitoring and establishing a dedicated call center to ensure that participants receive accurate personal information about their data, and implementing a five-part corrective and preventive action plan to increase 1) training and oversight, 2) policy enhancement, 3) deployment of additional technical safeguards, 4) analysis of security posture, and 5) disciplinary action in the Feinstein Institute community."
The statement says that there have been no reports of unauthorized access to or use of the information on the stolen laptop and there's been no harm to the research participants as a result of the theft.
"The Feinstein Institute greatly values the commitment of research participants to advance discoveries that improve the health of our community," the statement notes. "As such, we took very seriously implementing corrective action over the last few years to ensure a safe and protected environment for research."
The proper protection of PHI of patients participating in medical research projects is a growing concern, especially as the nation advances its medical research efforts, such as the Precision Medicine Initiative, which aims to quicken medical discoveries and improve treatments of patient based on genomics and other sensitive information.
"OCR doesn't have authority over all research entities because they aren't all covered entities or business associates," says privacy attorney Kirk Nahra of the law firm Wiley Rein. Still, the office is "definitely sending a message to these folks to be careful and smart with research data," he adds.
"This particular case also is complicated by the involvement of a research entity," he says. "So this case also sends a message to the research community that they need to be paying a lot of attention to these issues. "
Nahra says the series of recent OCR settlements reveals "an ongoing and expanded focus on overall security efforts and compliance activities. This is clearly a focus of attention, and an area where companies need to make sure they are taking appropriate action."
Corrective Action Plan
As part of the resolution agreement, Feinstein Institute agreed to a corrective action plan that includes:
- Conducting an enterprisewide risk analysis that incorporates all electronic equipment, including equipment purchased outside of its standard procurement process; data systems; and applications controlled, administered, or owned by Feinstein Institute and its workforce members, that contain, store, transmit or receive FIMR ePHI;
- Developing an enterprisewide risk management plan to address and mitigate any security risks and vulnerabilities identified in its risk analysis;
- Developing a process to evaluate any environmental or operational changes that affect the security of ePHI;
- Revising current privacy and security policies and procedures based on the findings of the risk analysis and the remedial actions, and distributing and implementing those policies and procedures;
- Developing and implementing workforce training related to the HIPAA privacy, security, and breach notification rules.