The Feinstein Institute for Medical Research (Feinstein) recently agreed to pay, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), $3.9 million to settle allegations that Feinstein violated the HIPAA Privacy and Security Rules. This settlement confirms the OCR’s position that nonprofit research institutes are held to the same standards as all other HIPAA covered entities.
The OCR began its investigation, after Feinstein filed a breach report revealing that a laptop computer containing electronic protected health information (ePHI) had been stolen from an employee’s car. The laptop contained the ePHI of approximately 13,000 patients and research participants. The laptop was unencrypted.
In addition to the breach, OCR’s investigation determined that Feinstein failed to:
(1) conduct a risk analysis of all of the PHI held at Feinstein, including the PHI on the stolen laptop;
(2) implement policies and procedures for granting access to ePHI to workforce members;
(3) implement physical safeguards for the laptop;
(4) implement policies and procedures managing the movement of hardware that contains ePHI; and
(5) implement encryption technology or to ensure that an alternative measure to encryption was deployed to safeguard the ePHI.
HIPAA does not expressly require encryption of ePHI, however, covered entities and business associates, who do not encrypt ePHI, are required to document why encryption is not reasonable or appropriate. Covered entities and business associates that do not encrypt ePHI are also required implement measures equivalent to encryption to safeguard ePHI.
In addition to other violations, the OCR’s investigation revealed that Feinstein failed to document why encrypting the laptop was not reasonable or appropriate. Further, contrary to having measures equivalent to encryption for safeguarding ePHI, the OCR found that Feinstein lacked policies and procedures for the receipt and removal of laptops containing ePHI from its facilities and policies and procedures for authorizing access ePHI.
This settlement provides us with three lessons. First, it’s important to realize that research institutes are held to the same standards as other covered entities. To the extent a research institute maintains PHI, it is essential to develop adequate policies and procedures to protect the PHI. Failing to do so, exposes the institute to considerable risk. Second, encrypting ePHI goes a long way towards reducing liability. Had Feinstein’s laptop been encrypted to the NIST standard, Feinstein’s ePHI would have been secured and Feinstein wouldn’t have been required to report a breach. Instead, as is often the case, the OCR’s investigation revealed multiple additional HIPAA violations. By not encrypting ePHI covered entities and business associates risk not only the cost of a breach, but also the potential for added costs following an OCR investigation. Lastly, covered entities and business associates that don’t encrypt their ePHI, are required to document why encryption is not reasonable or appropriate. Failing to do so is a HIPAA violation and subjects covered entities and business associates to liability.