Posted: 18 Mar 2016 11:08 AM PDT
By David C. Gibbons & Jeffrey N. Wasserstein –
On March 16, 2016, the Feinstein Institute for Medical Research, located in Manhasset, New York, (“Feinstein”) entered into an agreement with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) to pay $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules.Resolution Agreement, (Mar. 16, 2016). In addition to the payment, Feinstein agreed to undertake a comprehensive corrective action plan to remediate alleged deficiencies that led to a breach and disclosure of protected health information (“PHI”) This agreement stems from an incident that occurred on September 2, 2012, when a Feinstein laptop containing unencrypted, electronic PHI was stolen from a Feinstein employee’s car. The laptop contained information on approximately 13,000 Feinstein patients and research participants, including names, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and other medical information regarding subjects’ participation in a research study. HHS,Press Release, Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement (Mar. 17, 2016).
Pursuant to HIPAA regulations, covered entities, such as Feinstein, must:
This case is notable for the fact that, unlike many of the earlier enforcement actions relating to HIPAA, the disclosure of PHI was unintentional and not made for personal gain. It is also notable given it occurred in a clinical research, as opposed to a healthcare, setting. OCR Director, Jocelyn Samuels, was quoted as saying that “[r]esearch institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities.” HHS Press Release. The case is a pointed reminder that the HIPAA Privacy and Security Rules have teeth and can result in large penalties when violated.
Reminder: Register now for the May 3, 2016 Virginia Tech and HP&M Conference on Effective Documentation. Information on the conference is available here.
On March 16, 2016, the Feinstein Institute for Medical Research, located in Manhasset, New York, (“Feinstein”) entered into an agreement with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) to pay $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules.Resolution Agreement, (Mar. 16, 2016). In addition to the payment, Feinstein agreed to undertake a comprehensive corrective action plan to remediate alleged deficiencies that led to a breach and disclosure of protected health information (“PHI”) This agreement stems from an incident that occurred on September 2, 2012, when a Feinstein laptop containing unencrypted, electronic PHI was stolen from a Feinstein employee’s car. The laptop contained information on approximately 13,000 Feinstein patients and research participants, including names, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and other medical information regarding subjects’ participation in a research study. HHS,Press Release, Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement (Mar. 17, 2016).
Pursuant to HIPAA regulations, covered entities, such as Feinstein, must:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under [the regulations]; and
- Ensure compliance with [the regulations] by its workforce. 45 C.F.R. §164.306(a).
This case is notable for the fact that, unlike many of the earlier enforcement actions relating to HIPAA, the disclosure of PHI was unintentional and not made for personal gain. It is also notable given it occurred in a clinical research, as opposed to a healthcare, setting. OCR Director, Jocelyn Samuels, was quoted as saying that “[r]esearch institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities.” HHS Press Release. The case is a pointed reminder that the HIPAA Privacy and Security Rules have teeth and can result in large penalties when violated.
Reminder: Register now for the May 3, 2016 Virginia Tech and HP&M Conference on Effective Documentation. Information on the conference is available here.
No hay comentarios:
Publicar un comentario