The HHS Office for Civil Rights has announced sanctions that include a $3.9 million fine against Feinstein Institute for Medical Research, which is affiliated with Northwell Health, formerly known as North Shore Long Island Jewish Health System.

The latest sanction, detailed on March 17, is the second by OCR in two days. The day before, the agency announced sanctions against North Memorial Health Care of Minnesota that included a $1.55 million fine.

The sanction against Feinstein Institute resulted from the 2012 theft of an unencrypted laptop from an employee’s car. The laptop contained a range of demographic and medical information, as well as Social Security numbers, affecting about 13,000 patients and research participants.

An investigation found limited security management at Feinstein Institute with the organization lacking policies and procedures authorizing workforce access to electronic protected health information, governing receipt and removal of laptops holding PHI, and failing to implement safeguards for electronic equipment procured outside of the standard acquisition process, according to OCR.

Deven McGraw
Deven McGraw

More importantly, the organization not only failed to encrypt, but did not document “why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI,” according to the resolution agreement. HIPAA does not expressly require encryption, but it does require documented justification of reasons for not adopting encryption.

Feinstein Institute issued the following statement to HDM: “The Feinstein Institute greatly values the commitment of research participants to advance discoveries that improve the health of our community. As such, subsequent to the theft in 2012, we implemented corrective action—new policies and procedures—to ensure the Feinstein Institute is a safe and protective environment for research. To ensure privacy and confidentiality of our research participants, we conduct consistent reviews and updates to our security procedures.”

OCR, which enforces the HIPAA privacy and security rules, has issued its nuclear option—the imposition of a resolution agreement, corrective action plan and a heavy fine—against six healthcare organizations since September.

Also See: HIPAA violations lead to $1.55 million fine of hospital system

The ramp-up in enforcement comes following the appointment of veteran privacy advocate Deven McGraw as deputy director for health information privacy in June. Also, OCR in part relies on fines for part of its funding. Since September, those fines have totaled $11,300,000.

With the recent sanctions, OCR, in sending a series of messages to the industry, has highlighted the need for sufficient risk analysis, risk management, business associate agreements, and device and media controls.

“This [Feinstein] case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research,” an OCR statement said.

The resolution agreement and corrective action plan for Feinstein Institute is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access