On March 16, 2016, the Office for Civil Rights (“OCR”) announced its $1.55 million Resolution Agreement and Corrective Action Plan with North Memorial Health Care of Minnesota. North Memorial agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.
OCR initiated its investigation of North Memorial following receipt of a report on September 27, 2011, which indicated that “an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.”
The investigation indicated that North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. OCR further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure – “including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.”
In addition to the $1,550,000 payment, North Memorial is required to develop “an organization-wide risk analysis and risk management plan, as required under the Security Rule.” North Memorial will also train appropriate workforce members on “all policies and procedures newly developed or revised pursuant to this corrective action plan.”
In by now typical fashion, OCR announced another settlement right after the North Memorial settlement.
On March 17, 2016, the OCR announced its $3.9 million HIPAA settlement with the biomedical research institute, Feinstein Institute for Medical Research. Feinstein settled potential HIPAA violations by agreeing to undertake a substantial corrective action plan. OCR’s investigation began after Feinstein filed a report indicating that on September 2, 2012, a laptop computer containing ePHI of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included “names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.”
OCR’s investigation discovered that Feinstein’s security management process was “limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.” Further, Feinstein lacked “policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.”
The Feinstein and North Memorial settlements are obvious wake-up calls.
First, OCR apparently has no problem whatsoever finding that research institutions are covered entities even though such organizations may not squarely fit into the provider, health plan or clearinghouse bucket for all their activities. See 45 C.F.R. § 160.103. As set forth by the OCR Director Jocelyn Samuels in the press release, “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
Second, it is much preferable to hire legal counsel and spend several thousand dollars on a good business associate agreement and perhaps $20,000 on a comprehensive risk analysis than it is to pay $1.55 million on an OCR settlement.
And finally, train employees on proper handling of laptops and make sure your laptops are encrypted just in case they are ever lost or stolen. In both cases, the actual trigger leading to these seven figure settlements was a breach report sent to OCR because of a laptop stolen from a car.