Two healthcare providers will have to pay the federal government a total of nearly $5.5 million to settle potential HIPAA violations. The Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA privacy and security rules, announced two separate settlements this week.
Wednesday, OCR said that North Memorial Health Care, based in Robbinsdale, Minnesota, agreed to pay a $1.55 million fine. OCR said the health system “potentially violated” HIPAA by “failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.”
Under terms of the settlement, North Memorial also will have to create a risk-management plan and train employees to follow it.
North Memorial had reported the theft of an unencrypted laptop from an employee of a business associate in 2011. This put data on nearly 9,500 patients at risk, OCR said.
The subsequent investigation found that North Memorial didn’t have a HIPAA business associate agreement with the contractor, debt collector Accretive Health, according to OCR. Accretive Health was in hot water itself with Minnesota officials for not having an agreement with North Memorial.
On Thursday, Feinstein Institute for Medical Research, Manhasset, New York, reached a $3.9 million settlement with OCR. The biomedical research institute, part of Northwell Health (formerly North Shore-LIJ Health System), also had a laptop stolen from an employee’s car. (Anyone sense a pattern?)
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
The stolen computer had electronic protected health information on about 13,000 patients and research subjects, according to OCR.
OCR said:
OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the [HIPAA] Security Rule.
Read the settlement here.
Photo: Flickr user Brian Turner
