As we’ve previously covered, public data shows it costs an average of $881,305 in HIPAA fines for each single stolen laptop. With last week’s enormous new HIPAA fine handed out by the Office for Civil Rights (OCR) however, the average is going up.
In this latest settlement case, Feinstein Institute for Medical Research agreed to pay the U.S. Department of Health and Human Services, OCR department $3.9 million to settle HIPAA Privacy and Security violations.
OCR’s investigation began after Feinstein filed a breach report indicating that in early September 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, lab results, medications, and medical information relating to a research study.
Further investigation revealed Feinstein’s security management process insufficiently addressed potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity. In addition, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels.
About Feinstein Institute for Medical Research
The Feinstein Institute for Medical Research is the research branch of the Northwell Health enterprise and is headquartered in Manhasset, NY. The Institute is composed of more than 1,500 clinicians, scientists and staff who work in laboratories and clinical research programs in collaboration with clinicians and patients throughout the many facilities of Northwell Health.
According to the press release, the organization agreed to undertake a substantial corrective action plan to bring its operations into compliance.
See Related: HIPAA Fines caused by Stolen Laptops
See Related: HIPAA Violations Outpace Oil, Congress and Dow Jones
See Related: HIPAA Compliant Email