Research Institution Pays $3.9 million HIPAA Settlement for Breach

By David C. Gibbons & Jeffrey N. Wasserstein –

On March 16, 2016, the Feinstein Institute for Medical Research, located in Manhasset, New York, (“Feinstein”) entered into an agreement with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) to pay $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. Resolution Agreement, (Mar. 16, 2016). In addition to the payment, Feinstein agreed to undertake a comprehensive corrective action plan to remediate alleged deficiencies that led to a breach and disclosure of protected health information (“PHI”) This agreement stems from an incident that occurred on September 2, 2012, when a Feinstein laptop containing unencrypted, electronic PHI was stolen from a Feinstein employee’s car.  The laptop contained information on approximately 13,000 Feinstein patients and research participants, including names, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and other medical information regarding subjects’ participation in a research study.  HHS, Press Release, Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement (Mar. 17, 2016).

Pursuant to HIPAA regulations, covered entities, such as Feinstein, must:

1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits;
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under [the regulations]; and
4. Ensure compliance with [the regulations] by its workforce. 45 C.F.R. §164.306(a).

Feinstein reported the breach to OCR on September 14, 2012, and OCR initiated an investigation later that year. According to the Resolution Agreement that followed, the investigation found that the individuals’ PHI was “impermissibly disclosed” when an unsecured laptop was taken from the employee’s car.  The investigation also found that Feinstein failed to: (i) conduct a proper risk analysis identifying the risks and vulnerabilities to the confidentiality, integrity, and availability of PHI, (ii) implement policies and procedures governing employee access to PHI as well as the use of hardware and electronic media containing PHI, (iii) implement appropriate physical safeguards on laptops to restrict access to PHI, and (iv) implement appropriate electronic safeguards against disclosure of PHI.

This case is notable for the fact that, unlike many of the earlier enforcement actions relating to HIPAA, the disclosure of PHI was unintentional and not made for personal gain. It is also notable given it occurred in a clinical research, as opposed to a healthcare, setting.  OCR Director, Jocelyn Samuels, was quoted as saying that “[r]esearch institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities.”  HHS Press Release.  The case is a pointed reminder that the HIPAA Privacy and Security Rules have teeth and can result in large penalties when violated.

Reminder: Register now for the May 3, 2016 Virginia Tech and HP&M Conference on Effective Documentation.  Information on the conference is available here.