<div dir="ltr"><a href="http://www.hhs.gov/about/news/2016/03/17/improper-disclosure-research-participants-protected-health-information-results-in-hipaa-settlement.html">http://www.hhs.gov/about/news/2016/03/17/improper-disclosure-research-participants-protected-health-information-results-in-hipaa-settlement.html</a><br><p>Feinstein Institute for Medical Research agreed to pay the U.S.
Department of Health and Human Services, Office for Civil Rights (OCR)
$3.9 million to settle potential violations of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Privacy and Security
Rules and will undertake a substantial corrective action plan to bring
its operations into compliance. This case demonstrates OCR’s commitment
to promoting the privacy and security protections so critical to build
and maintain trust in health research. Feinstein is a biomedical
research institute that is organized as a New York not-for-profit
corporation and is sponsored by Northwell Health, Inc., formerly known
as North Shore Long Island Jewish Health System, a large health system
headquartered in Manhasset, New York that is comprised of twenty one
hospitals and over 450 patient facilities and physician practices.</p>
<p>OCR’s investigation began after Feinstein filed a breach report
indicating that on September 2, 2012, a laptop computer containing the
electronic protected health information (ePHI) of approximately 13,000
patients and research participants was stolen from an employee’s car.
The ePHI stored in the laptop included the names of research
participants, dates of birth, addresses, social security numbers,
diagnoses, laboratory results, medications, and medical information
relating to potential participation in a research study.</p>
<p>OCR’s investigation discovered that Feinstein’s security management
process was limited in scope, incomplete, and insufficient to address
potential risks and vulnerabilities to the confidentiality, integrity,
and availability of ePHI held by the entity. Further, Feinstein lacked
policies and procedures for authorizing access to ePHI by its workforce
members, failed to implement safeguards to restrict access to
unauthorized users, and lacked policies and procedures to govern the
receipt and removal of laptops that contained ePHI into and out of its
facilities. For electronic equipment procured outside of Feinstein’s
standard acquisition process, Feinstein failed to implement proper
mechanisms for safeguarding ePHI as required by the Security Rule. </p>
<p>“Research institutions subject to HIPAA must be held to the same
compliance standards as all other HIPAA-covered entities,” said OCR
Director Jocelyn Samuels. “For individuals to trust in the research
process and for patients to trust in those institutions, they must have
some assurance that their information is kept private and secure.” </p>
<p>The resolution agreement and corrective action plan may be found on the OCR website at <a id="anch_29" href="http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/feinstein/index.html">http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Feinstein/index.html</a>.</p>
<p>To learn more about non-discrimination and health information privacy
laws, your civil rights, and privacy rights in health care and human
service settings, and to find information on filing a complaint, visit
us at <a id="anch_30" href="http://www.hhs.gov/hipaa/index.html">www.hhs.gov/hipaa</a>.</p><br></div>