Question: In past issues of Practice Management Alert, I’ve read several articles on avoiding Health Insurance Portability and Accountability Act (HIPAA) violations due to protected health information (PHI) leaks. What are some of the real-world implications of not keeping PHI covered?
Pennsylvania Subscriber
Answer: There are frequent issues with HIPAA violations negatively affecting medical practices’ reputations and bottom lines. Often, these violations don’t make the news. This recent story about a major HIPAA breach, however, could serve as an object lesson on how important PHI security is for every medical practice.
The rundown: On March 17, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Feinstein Institute for Medical Research agreed to pay $3.9 million to settle potential HIPAA violations and will undertake a substantial corrective action plan (CAP) to bring its operations into compliance.
Feinstein is a biomedical research institute and not-for-profit corporation, sponsored by Northwell Health, Inc. located in Manhasset, N.Y.
In September 2012, Feinstein filed a breach report alerting that an unencrypted laptop computer containing the electronic PHI (ePHI) of 13,000 patients and research participants was stolen from an employee’s car. The ePHI included the research participants’ names, birth dates, addresses, Social Security numbers, diagnoses, laboratory results, medications, and other medical information.
Following the breach notification, OCR launched an investigation that revealed that Feinstein’s security management process was limited, incomplete and insufficient to address potential vulnerabilities to ePHI.
According to OCR, Feinstein also:
Best bet: Check your policies and procedures to ensure your practice doesn’t make a splash in the headlines, and be sure your safeguards to restrict access to authorized users only are solid.