TWO LESSONS FROM HIPAA BREACHES

  1. Sign a business associate agreement
  2. Run a comprehensive and accurate risk analysis

Organizations responsible for the security of patient records should take note of two recent investigations and subsequent settlements announced by the Office for Civil Rights (OCR). The agency is tasked with ensuring that covered entities remain in compliance with all HIPAA

regulations and that they are actively and appropriately safeguarding patient information. Each case was triggered by the report of a theft of a laptop containing electronic protected health information (e-PHI), and each case involved a failure to uphold compliance standards.

In the first case, the agency assessed a fine of $1.55 million on North Memorial Health Care of Minnesota. The agency received word that an unencrypted, password protected laptop containing e-PHI information on roughly 9,000 patients was stolen from a locked vehicle. The vehicle and laptop did not belong to the hospital, but was the property of a business associate of the hospital, and had been in the care of that associate’s employee. Upon receiving word of the theft, OCR initiated an investigation and found that despite the fact that the business associate was provided with full access to the hospital’s database, but the North Memorial had not taken actions to have the company, which performed payment and operations activities on the hospital’s behalf, to sign a business associate agreement. In addition to this failure, the investigation revealed that the hospital had also neglected to run a comprehensive and accurate risk analysis as required by HIPAA rules. OCR Director Jocelyn Samuels stated that the hospital had overlooked “two major cornerstones of the HIPAA rules.”

The second settlement that was announced was for an even greater sum. The Feinstein Institute for Medical Research agreed to a $3.9 million settlement and committed to a “substantial” correction plan following discovery of multiple problems with both their security management. Among the problems that were discovered after a laptop containing e-PHI of roughly 13,000 research participants was stolen from an employee’s car was a lack of appropriate safeguards, policies and procedures designed to prevent this type of breach from taking place. Speaking of the problems discovered at Feinstein, Samuels said, “Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities. For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

Hospitals, research institutions and other medical providers have an important responsibility with regard to the electronic patient records that they keep in their databases. In order to be in compliance with HIPAA and maintain the trust of their patients, it is essential that they follow all the rules and security guidelines that HIPAA has in place, including conducting security risk assessment, keeping policies and procedures updated, ensuring that employees are properly trained, and that correct procedures are followed for data and hard drive destruction.   Data destruction for HIPAA electronic private health information (ePHI).