The Feinstein Institute for Medical Research in Manhasset, New York, is the second organization to reach a HIPAA settlement this week with the Department of Health and Human Services' Office for Civil Rights.
Feinstein Institute, a biomedical research institute that is organized as a not-for-profit corporation and sponsored by Northwell Health Inc., must pay $3.9 million in the settlement, which comes after OCR investigated a breach report over a stolen laptop that contained electronic protected health information (ePHI) of about 13,000 patients.
"This case demonstrates OCR's commitment to promoting the privacy and security protections so critical to build and maintain trust in health research," an announcement noted.
According to OCR, "Feinstein's security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity."
In November, OCR said it would resume audits this year; at that time Anna Spencer, a partner at law firm Sidley Austin LLP, said the second round of audits likely would include more enforcement actions.
Earlier this week, North Memorial Health Care of Minnesota agreed to pay a $1.55 million settlement after a potential HIPAA violation in which it failed to make a business associate (BA) agreement with a contractor and did not conduct a risk analysis to address security of patient data, FierceHealthIT reported.
That breach also involved a stolen laptop from the car of an employee of the BA. That laptop contained ePHI for almost 9,500 patients.
The Feinstein Institute settlement is now the second largest ever, replacing a $3.5 million one by Triple-S Management Corporation in December. The largest to date occurred in 2014 when New York-Presbyterian Hospital and Columbia University were fined a total of $4.8 million.