Research institute agrees to $3.9 million HIPAA settlement
April 05, 2016
— A biomedical research institute has agreed to pay a $3.9 million settlement to the federal government after an investigation determined that a stolen laptop contained the electronic protected health information of approximately 13,000 patients and research participants.
According to a release from the U.S. Office for Civil Rights
, the New York-based Feinstein Institute for Medical Research filed a breach report under the Health Insurance Portability and Accountability Act when, in 2012, a laptop computer was stolen from an employee's car. According to OCR, the protected health information included the names, addresses, birthdates, Social Security numbers, diagnoses, laboratory results, medications and medical information of approximately 13,000 patients and research participants.
During the investigation, OCR discovered that Feinstein's security management process was limited in scope, and incomplete and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of the institute's protected health information. OCR also said that Feinstein lacked policies and procedures to govern the receipt and removal of laptops with electronic protected health information coming in and out of its facilities. It also noted that Feinstein failed to safeguard electronic equipment procured outside of its standard acquisition process as required by HIPAA.
"Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities," said Jocelyn Samuels, OCR director. "For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure."
The resolution agreement and corrective action plan may be found on the OCR website