The Office for Civil Rights used the instances to highlight the importance of holding business associates and research centers accountable to privacy and security laws.
Health and Human Services’ Office for Civil Rights closed a pair of HIPAA breach settlements with North Memorial Health Care of Minnesota and Feinstein Institute for Medical Research.
The larger penalty went to Feinstein, at $3.9 million, OCR said on Thursday. That came just one day after the office announced that North Memorial agreed to pony up $1.55 million.
OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle. At risk was the protected health information of 9,497 individuals.
That investigation determined that North Memorial broke HIPAA rules on multiple fronts, according to OCR.
“Two major cornerstones of the HIPAA rules were overlooked by this entity,” OCR Director Jocelyn Samuels said in a prepared statement. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
According to OCR, North Memorial gave its business associate, Accretive Health, access to North Memorial’s hospital database, which stored the electronic PHI of 289,904 patients. Accretive also had access to non-electronic protected health information.
Besides paying the fine, OCR is requiring North Memorial to develop an organization-wide risk analysis and risk management plan.
OCR also mandated that that the Feinstein Institute for Medical Research put in place a plan to bring its operations into compliance, in addition to the $3.9 million penalty.
The investigation began after Feinstein filed a breach report indicating that on Sept. 2, 2012, a laptop computer containing the electronic protected health information of approximately 13,000 patients and research participants was stolen from an employee’s car.
The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.
OCR found Feinstein’s security management process lacking on several fronts.
It also determined that Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures regarding laptops.
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” Samuels said in a statement.