A private medical research institute in New York has agreed to pay $3.9 million to settle its alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).
An investigation by the Department of Health and Human Services Office for Civil Rights (OCR) found that the Feinstein Institute for Medical Research violated the privacy and security rules of the HIPAA for improperly disclosing the electronic protected health information (ePHI) of patients and research participants.
The investigation stemmed from a breach report filed by Feinstein in September 2012 indicating that a laptop computer containing the ePHI of approximately 13,000 patients and research participants was stolen from an employee’s car.
The ePHI stored in the laptop included the names of research participants, birth dates, addresses, social security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study.
The OCR probe discovered that Feinstein’s security management process was limited in scope, incomplete and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI.
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels.
“For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure,” she added.
According to the OCR, Feinstein’s violations of the HIPAA include:
- Lack of policies and procedures for authorizing access to ePHI by its employees
- Failure to implement safeguards to restrict access to unauthorized users
- Lack of policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities
- Failure to implement proper mechanisms for protecting ePHI for electronic equipment procured outside of Feinstein’s standard acquisition process
