Following allegations that Feinstein Institute for Medical Research improperly disclosed research participants’ protected health information (PHI), the research institute agreed to undertake a corrective action plan (CAP) and pay $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) ( P.L. 104-191) Privacy and Security Rules.
PHI. The settlement with the HHS Office for Civil Rights (OCR) arose after the biomedical research institute filed a breach report indicating that on September 2, 2012, a laptop containing the PHI of approximately 13,000 patients and research participants was stolen from an employee’s car. The stolen data included patient information concerning the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.
Policies. An investigation by the OCR revealed that Feinstein’s security risk management process was inadequate. Specifically, the OCR discovered that Feinstein did not have any policies or procedures to regulate the manner in which laptops containing PHI could be moved in and out of its facilities. Additionally, the research institute did not have sufficient procedures regarding workforce access to PHI and had inadequate safeguards to prevent unauthorized users from accessing PHI.
Corrective action plan. Under the terms of the resolution agreement and CAP, the institute must develop a security management process that includes a risk-analysis, an inventory of equipment and systems, and the development of a risk management plan, all of which will be subject to HHS approval. The institute also has obligations under the CAP to update security policies, train staff and follow certain reporting requirements.