OCR Struck Feinstein Institute with $3.9M fine

The HHS Office for Civil Rights has declared sanctions that involve a fine of $3.9 million against the popular Feinstein Institute for Medical Research, which is connected with Northwell Health, previously called as the North Shore Long Island Jewish Health System.

The latest sanction, discussed on the day of March 17, is the 2^nd by OCR in two days. The day before, the agency declared sanctions against the company North Memorial Health Care of Minnesota that involved a fine of nearly $1.55 million.

The sanction against the Feinstein Institute was a result from the year 2012 theft of an unencrypted laptop from a worker’s car. The laptop consisted of a range of demographic and medical data, as well as Social Security numbers, impacting about 13,000 sufferers and research participants.

An investigation discovered restricted security management at the Feinstein Institute with the agency lacking policies and processes authorizing workforce access to electronic protected health data, governing receipt and eradication of laptops holding PHI, and failing to execute safeguards for electronic tools procured outside of the standard acquisition procedure, in accordance to OCR.

More primarily, the agency not merely failed to encrypt, but didn’t document “why encryption wasn’t reasonable and suitable and execute an equivalent alternative step to encryption to protect ePHI,” in accordance to the resolution agreement. HIPAA doesn’t expressly need encryption, but it does need documented justification of reasons for not accepting encryption.

Feinstein Institute issued the following notification to the HDM: “The Feinstein Institute highly values the devotion of research participants to advance the analysis and findings that make better the health of our community. As such, subsequent to the theft in the year 2012, we executed corrective action—latest policies and processes—to make sure the Feinstein Institute is a safe and protective atmosphere for research. To ensure privacy and confidentiality of our research participants, we conduct consistent reviews and updates to our security processes.”

OCR, which imposes the HIPAA privacy and security rules, has released its nuclear option—the enforcement of a resolution agreement, corrective action policy and a heavy fine—against six healthcare industries since the month of September.

The ramp-up in enforcement comes following the appointment of veteran privacy advocate Deven McGraw as deputy director for health data privacy in the month of June. Also, OCR in part depends on fines for part of its funding. Since the month of September, those fines have totaled to almost $11,300,000.

With the latest sanctions, OCR, in sending a series of messages to the industry, has mentioned the requirement for sufficient risk analysis, risk management, business associate agreements, and device and media controls.

“This situation highlights the OCR’s devotion to promoting the privacy and security protections so serious to develop and maintain belief in health research,” a statement of OCR.