An unprecedented settlement has been agreed to by Feinstein Institute for Medical Research and the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) due to potential HIPAA violations of patients and research participants.
The incident that sparked the OCR’s investigation took place on September 2, 2012 in which Feinstein filed a breach report indicating that “a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car”. According to the report the ePHI stored extensive personal identifiable data including social security numbers, and addresses as well as medical information such as laboratory results, medications and sensitive study related data. The OCR’s discovered that the security management processes instituted by Feintein were insufficient and non-compliant with the following Security Rule provisions:
· Uses and Disclosures of PHI 45 CFR 164.502
· Security Management Process 45 CFR 164.308 (a)(1)(i)
· Information Access Management 45 CFR 164.308 (a)(4)
· Workstation Security 45 CFR164.310(d)
· Device and Media Controls 45 CFR 164.310 (c)
· Encryption and Decryption 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii).
Aside from the $3.9 million settlement, Feinstein Institute for Medical Research must ensure implementation of a corrective actions plan that include mechanisms for safeguarding ePHI as required by the Security Rule such as a new security management process, a document retention plan and an annual corrective actions plan report to the OCR.
This is the first time that we have seen a research specific incident listed in HIPAA violations! this settlement does set an interesting precedent for the different stakeholders in research. Discussions for stricter encryption and protection of participant data are likely to ensue industry wide. This at the same time we are promoting remote monitoring of source documentation.
For more information, please click here.