- The New York-based Feinstein Institute for Medical Research has agreed to pay HHS's Office for Civil Rights (OCR) $3.9 million in settlement due to allegations regarding HIPAA violations.
- Feinstein, a biomedical research nonprofit sponsored by Northwell Health, will also launch a "substantial corrective action plan," according to an HHS announcement release last week.
- OCR found Feinstein lacked policies and procedures with regards to entering and removing laptops with patients' electronic protected health information (ePHI) into and out of its establishment.
Feinstein filed a breach report saying that a laptop that contained the ePHI of about 13,000 patients and research participants -- including names, addresses, Social Security numbers, diagnoses, laboratory results, and medications -- had been stolen from an employee's car on Sept. 2, 2012. HHS was notified about the breach on Sept. 14 of that year.
OCR then initiated an investigation, which found the institute's security management process was "limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity."
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” OCR Director Jocelyn Samuels said in a prepared statement.
The investigation also found Feinstein had not established policies and procedures for granting employees access to ePHI, nor safeguards to restrict unauthorized users.
Among the several corrective obligations Feinstein has agreed to meet, according to the resolution agreement and corrective action plan, are: Providing OCR with an risk analysis of all electronic equipment with 180 days; developing an evaluation process for environmental and operational changes that could affect ePHI security within 120 days; and implement policies and procedures based on the findings from the risk analysis and actions identified in HHS' Risk Management Plan.
OCR has conducted 33 HIPAA privacy and security investigations since 2008, Modern Healthcare reports.