Last week, a New York health conglomerate reached a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), over potential Health Insurance Portability and Accountability Act (HIPAA) violations stemming from the theft of an employee laptop. 

The OCR first started investigating the Feinstein Institute for Medical Research after it reported a data breach incident involving the theft of a laptop computer from an employee’s vehicle.  According to an OCR press release, the laptop contained electronic protected health information pertaining to thousands of research participants and patients, including names, birth dates, addresses, Social Security numbers, and medical information.  Since the theft, there have been no reports of unauthorized use of information from the stolen laptop or any harm to research participants from the incident. 

Feinstein agreed to pay $3.9 million to settle the OCR’s claims.  In addition, Feinstein agreed to implement a corrective action plan to address risks and vulnerabilities in its security management process.  Pursuant to the Resolution Agreement, Feinstein agreed to complete a systemwide risk analysis, implement a risk management plan, and strengthen internal policies and procedures.   

This agreement is in line with the OCR’s other noteworthy enforcement actions including a $1.5 million settlement with North Memorial Health Care System, a $750,000 settlement with Cancer Care Group, a $3.5 Million settlement with Triple-S Management, and a $750,000 settlement with the University of Washington Department of Medicine. 

These settlements are a reminder of the key role the OCR is taking in HIPAA enforcement actions.  In light of the increasing regulatory actions, entities of all sizes must be proactive in complying with HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH).   

Troutman Sanders LLP has an experienced team dedicated to regulatory compliance and data privacy.