The Office for Civil Rights (OCR) has announced two more significant HIPAA settlements involving covered entities. Both settlements were the result of investigations triggered by breach reports involving laptop thefts. And as is often the case, the investigations uncovered numerous HIPAA compliance issues above and beyond those which led to the breach.

North Memorial Health Care of Minnesota (North Memorial) reached a $1.55 million settlement and corrective action plan with OCR related to allegations that it, in the words of OCR Director Jocelyn Samuels, overlooked “two major cornerstones of the HIPAA Rules.” OCR began its investigation following receipt of a breach report in September, 2011, which indicated that an unencrypted, password protected laptop containing electronic protected health information (e-PHI) of approximately 9,000 patients was stolen from a locked vehicle belonging to an employee of a hospital business associate. OCR’s investigation uncovered that North Memorial’s business associate had access to its hospital database containing electronic protected health information (e-PHI) of more than 289,000 patients in order to perform payment and operations activities on its behalf. However, North Memorial failed to require the business associate to enter into a business associate agreement. Additionally, OCR noted that North Memorial did not complete a comprehensive and accurate risk analysis, continuing the trend from OCR’s enforcement action in 2015.

The other recent enforcement involved OCR agreeing to a $3.9 million settlement and “substantial” corrective action plan with the Feinstein Institute for Medical Research (Feinstein). The investigation into Feinstein followed a breach report in September, 2012, indicating that a laptop containing e-PHI of approximately 13,000 research participants was stolen from an employee’s car. OCR’s investigation exposed significant problems with Feinstein’s security management process, and further found that Feinstein did not have appropriate policies and procedures and other safeguards in place to protect e-PHI. Following this settlement, OCR Director Jocelyn Samuels offered a reminder to providers:

Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities. For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.

These investigations and settlements offer a number of key takeaways:

  • Covered entities should regularly inventory their roster of business associates, and consider auditing those with access to large quantities of PHI.
  • Security risk assessments are at the top of regulators’ checklists, and as a result are critical to demonstrating HIPAA compliance.
  • Following a breach report, covered entities and business associates should take the opportunity to reexamine its HIPAA compliance – including conducting a security risk assessment; reviewing and updating policies and procedures; and re-training workforce members.