HHS dings two providers for HIPAA violations

North Memorial Health Care in Minnesota settled for $1.55 million, while Northwell Health’s Feinstein Institute for Medical Research on Long Island will pay $3.9 million, both related to stolen laptops and lax security procedures.

lawsuit settlement

Two healthcare providers will have to pay the federal government a total of nearly $5.5 million to settle potential HIPAA violations. The Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA privacy and security rules, announced two separate settlements this week.

Wednesday, OCR said that North Memorial Health Care, based in Robbinsdale, Minnesota, agreed to pay a $1.55 million fine. OCR said the health system “potentially violated” HIPAA by “failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.”

Sponsored Post

Physician Targeting Using Real-time Data: How PurpleLab’s Alerts Can Help

By leveraging real-time data that offers unprecedented insights into physician behavior and patient outcomes, companies can gain a competitive advantage with prescribers. PurpleLab®, a healthcare analytics platform with one of the largest medical and pharmaceutical claims databases in the United States, recently announced the launch of Alerts which translates complex information into actionable insights, empowering companies to identify the right physicians to target, determine the most effective marketing strategies and ultimately improve patient care.

Under terms of the settlement, North Memorial also will have to create a risk-management plan and train employees to follow it.

North Memorial had reported the theft of an unencrypted laptop from an employee of a business associate in 2011. This put data on nearly 9,500 patients at risk, OCR said.

The subsequent investigation found that North Memorial didn’t have a HIPAA business associate agreement with the contractor, debt collector Accretive Health, according to OCR. Accretive Health was in hot water itself with Minnesota officials for not having an agreement with North Memorial.

On Thursday, Feinstein Institute for Medical Research, Manhasset, New York, reached a $3.9 million settlement with OCR. The biomedical research institute, part of Northwell Health (formerly North Shore-LIJ Health System), also had a laptop stolen from an employee’s car. (Anyone sense a pattern?)

The stolen computer had electronic protected health information on about 13,000 patients and research subjects, according to OCR.

OCR said:

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity. Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities. For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the [HIPAA] Security Rule.

Read the settlement here.

Photo: Flickr user Brian Turner