What can we learn from the Office for Civil Rights’ (OCR) recent announcements regarding two of the largest settlements ever reported for HIPAA violations? The settlements total $3.9 million and $1.5 million respectively and both stem from an unencrypted laptop stolen from an employee’s car.
The Feinstein Institute of Medical Research suffered a data breach in 2012 of over 13,000 research participants’ individually identifiable health information from theft of an unencrypted laptop left unattended in an employee’s car. This stolen information included names, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and the reason for participation in study. After the formal OCR investigation, it was evident that the Feinstein Institute had an inadequate security management process without proper safeguards to restrict access of unauthorized users and an absence of policies and procedures addressing the safe removal of ePHI from the facility.
In September 2011, North Memorial Health Care reported a data breach of ePHI that was initially reported as 2800 affected individuals but later found to actually involve 6697 individuals. In this case, the employee who had the unencrypted laptop stolen from their car was not part of the covered entity’s workforce but was an employee of the business associate, Accretive Health. Unfortunately, North Memorial had not entered into a written Business Associate Agreement with Accretive until after this data breach was discovered. This lack of a written BAA prompted the OCR to investigate North Memorial for HIPAA noncompliance prior to the report of the data breach. As a result of this look-back, the OCR found that North Memorial had actually been impermissibly disclosing PHI of 289,904 individuals to Accretive without satisfactory assurances from their business associate to adequately safeguard this PHI. In addition, North Memorial had failed to conduct a thorough security risk analysis as required by the Security Rule.
Keep in mind the basic tenets of the Security Rule: confidentiality, integrity, and availability. These basic steps could have prevented these costly fines for HIPAA violations:
- Encryption and password protection on all mobile devices with individually identifiable health information
- Written Business Associate Agreement to safeguard PHI
- Security risk analysis