Another unencrypted laptop is stolen; another health care provider is hit by HHS with significant penalties. This time, HHS has announced that Feinstein Institute for Medical Research (“Feinstein”) has agreed to pay $3.9 million to settle its HIPAA violations. As with the recent HHS settlement involving North Memorial Health Care of Minnesota, the problem started when a laptop containing unencrypted PHI was stolen from an employee’s car. The laptop contained names of 13,000 patients and research participants, dates of birth, addresses, social security numbers, diagnoses, lab results, and medications.

When Feinstein reported the breach to HHS, of course an investigation was opened. It found that Feinstein had failed to comply with the HIPAA privacy and security standards in multiple areas. Many of the lessons to be learned from this settlement are the same ones I listed yesterday when writing about the North Memorial breach. However, there are some variations worth noting:

  1. HHS emphasized that while the HIPAA security rule does not mandate encryption of electronic PHI, if you do not encrypt you must document why encryption was not reasonable and implement an equivalent alternative measure to safeguard electronic PHI.
  2. Feinstein failed to conduct an accurate and thorough risk analysis that would have uncovered the vulnerability resulting from having PHI stored on a laptop (or other portable device). Partly due to the failure to complete a thorough risk analysis, Feinstein: (a) failed to implement policies and procedures for granting access to electronic PHI by its employees; (2) failed to restrict access to the laptop to only authorized users; and (3) failed to implement policies governing the receipt and removal the laptop from the facility and the movement within the facility.

In short, perform your risk analysis, address vulnerabilities and encrypt electronic PHI (or be prepared to provide a reasonable explanation as to why you decided not to encrypt and what alternative safeguards you implemented).