The New York-based healthcare research facility Feinstein Institute for Medical Research has agreed to pay the Office for Civil (OCR) $3.9 million to settle allegations of Health Insurance Portability and Accountability Act (HIPAA) violations.
The incident occurred back in September 2012, during which an employee for Feinstein Institute had a laptop stolen out of their car. Normally, a stolen laptop wouldn't constitute as a HIPAA violation. Because the device contained the Electronic Protected Health Information (EPHI) of some 13,000 patients, however, the OCR was forced to step in and take action. Some of the EPHI stored on the laptop included patient names, addresses, Social Security numbers, laboratory test results, and medication.
Less than two weeks after the incident had occurred, Feinstein Institute filed a breach report to the Department of Health and Human Services (HHS) Secretary Sylvia Mathews Burwell, as per the HIPAA Breach Notification Rule. This prompted the OCR to launch an investigation of the incident. Investigators determined that Feinstein Institute's security management was “limited, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.”
In addition to paying $3.9 million as part of the resolution, Feinstein Institute must also provide the OCR with a risk analysis of its electronic equipment; develop an evaluation process for changes that could impact the security of EPHI; and implement the necessary policies and procedures as described in the risk analysis.
Of course, this isn't the first time that a laptop containing PHI has been stolen from a healthcare worker's car, nor will it be the last. Reports such as this are an all-too-common occurrence, attesting to the need for greater security of laptops and similar devices. So, as a healthcare provider, what can you do to protect against HIPAA violations such as this?
There are a few steps that healthcare providers can take to protect against HIPAA violations, one of which is to encrypt all EPHI stored on workers' laptops. This isn't going to necessarily prevent other users from accessing the data, rather it will render unreadable without the respective key. Furthermore, healthcare employers should use caution when allowing workers to take home devices on which EPHI is stored. Opting for cloud-based storage of EPHI may prove more secure, assuming a Business Associates Agreement (BAA) has been created.
You can access the full 12-page agreement between Feinstein Institute and the OCR by clicking here.