Feinstein Institute for Medical Research (FIMR) has signed a resolution agreement with the Department of Health and Human Services (HHS) for multiple violations of the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA settlement came to a total of $3.9 million in penalties.
The violations related to how FIMR handled protected health information (PHI) and electronic protected health information (ePHI). HHS defines PHI as information relating to:
- The individual’s past, present, or future physical or mental health condition,
- The provision of health care to the individual, or
- Information that creates a way to identify the individual. For example: name, address, birth date, Social Security Number) when they can be associated with the health information listed above.
FIMR is a biomedical research institute that is organized as a New York not-for-profit corporation and is headquartered in Manhasset, New York. It is comprised of 21 hospitals and over 450 patient facilities/physician practices. Many of their employees have access to ePHI.
In September of 2012, a laptop containing the ePHI of approximately 13,000 patients and research participants was stolen from a FIMR employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, lab results, medications, and medical information relating to potential participation in a research study. FIMR notified HHS of the ePHI breach on November 14th, 2012. This led to an investigation of FIMR by HHS regarding FIMR’s compliance with HIPAA rules.
HHS has the authority to conduct compliance reviews and investigations of complaints alleging violations of the Privacy, Security, and Breach notification rules. Covered entities and business associates must cooperate with HHS compliance reviews and investigations. FIMR is a covered entity under HIPAA.
HHS’ investigation found that FIMR:
- Did not protect the confidentiality of ePHI;
- Had not conducted an accurate risk analysis under HHS standards;
- Was missing policies and procedures for authorizing access to ePHI and
- Did not implement certain safeguards to restrict access to unauthorized users.
- Failed to implement proper mechanisms for safeguarding ePHI as required by the security rule,
These HIPAA breaches led to the $3.9 million settlement. On top of this, FIMR also agreed to follow a Corrective Action Plan to change their ePHI practices.
This settlement should serve as a reminder for employers that sponsor group health plans to keep ePHI or other PHI secure to avoid penalties from HHS. Here are steps to stay in compliant with HHS:
- Conduct an annual risk analysis.
- Adopt and follow appropriate policies and procedures for authorization to ePHI.
- Use physical, administrative and technical safeguards to keep ePHI secure.
- Create a mechanism to encrypt ePHI.
As a part of its continued efforts to assess compliance with HIPAA the HHS Office for Civil Rights has begun its next phase of audits of covered entities and their business associates. This makes it more important than ever for group health plan sponsors to be compliant with HIPAA’s requirements.