A provider and a healthcare research organization will pay nearly $5.5 million to the Office for Civil Rights at HHS to avoid further legal actions against them for Health Insurance Portability and Accountability Act privacy and security rule violations.
The harder hit of the two was the Feinstein Institute for Medical Research, a not-for-profit arm of Northwell Health, formerly North Shore Long Island Jewish Health System. Feinstein agreed to pay $3.9 million, one of the largest settlements in the agency's history.
The OCR began a HIPAA probe of the organization after it reported in 2012 that a laptop computer had been stolen from an employee's car, according to an agency statement.
The computer carried approximately 13,000 patients' and research participants' records that included names, dates of birth, addresses, Social Security numbers, diagnoses, laboratory results, medications and medical information, according to the OCR statement.
The feds' subsequent investigation revealed insufficient security measures, specifically, according to the OCR statement, that Feinstein “lacked policies and procedures for authorizing access” to electronic protected health information by its workforce members. It also found that it “failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal" of the facilities' laptops" that contained sensitive information.
As part of the settlement, Feinstein will prepare a corrective action plan to bring it into compliance with HIPAA.
North Memorial Health Care of Robinsdale, Minn., agreed to pay $1,550,000 to settle charges that it potentially violated HIPAA “by failing to enter into a business associate agreement with a major contractor and failing to institute an organizationwide risk analysis to address the risks and vulnerabilities to its patient information,” according to a statement by the OCR.
A "business associate" is an organization hired or authorized by a HIPAA "covered entity," such as a hospital, physician office, insurance company or claims clearinghouse, to access and use its personally identifiable patient information. Its legal obligations to protect patient data in accordance with HIPAA privacy and security rules are spelled out in business associate agreements.
The feds' investigation of North Memorial also began with a stolen laptop, reported in 2011. The laptop this time carried the identifiable records of 9,497 individuals. The password-protected but unencrypted computer was taken from the vehicle of an employee of Accretive Health, an HHS spokeswoman said.
Accretive, an already troubled revenue-cycle management firm based in Chicago, also had access to North Memorial's database and its records on 289,904 patients, but, according to the OCR, North Memorial had no business associates agreement in place with Accretive.
The OCR investigation also found that North Memorial failed to complete a risk assessment, another HIPAA requirement.
With North Memorial, OCR Director Jocelyn Samuels said, “Two major cornerstones of the HIPAA rules were overlooked." Organizations must have compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprisewide IT infrastructure, she said.
As part of the settlement, North Memorial also was required to develop a corrective action plan, risk assessment and risk management plan, and will train workforce members accordingly.
Since 2008, there have been 33 HIPAA privacy and security rule investigations by the OCR that have led to monetary payments, either via settlement agreements or legal actions. The largest came in 2014 via a court order to pay nearly $4.8 million against Cignet Health of Prince George's County, Md., accused of refusing to supply several dozen of its patients copies of their records.