The Office for Civil Rights settled two HIPAA violations in cases that demonstrate the office’s new focus on entities that do business with hospitals.
The settlements included a $3.9 million fine for the Feinstein Institute for Medical Research in New York and a $1.55 million fine for North Memorial Healthcare in Minnesota, according to healthcareitnews.com.
The OCR’s investigation into Feinstein began when a laptop containing the electronic protected health information (ePHI) of 13,000 patients was stolen from an employee’s car in 2012. The patient information included names, dates of birth, social security numbers, diagnoses, laboratory results, medications and other medical information.
The OCR’s fine related to its findings that the institute had inadequate procedures for accessing ePHI and for using laptops.
North Memorial’s fine came after an unencrypted laptop was stolen from a business associate’s locked vehicle in 2011. The laptop contained information on 9,497 people. The fine was the result of the OCR’s findings that the hospital failed to have “compliant business associate agreements and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
As part of the agreement, North Memorial will create a risk analysis and risk management plan.
Together the fines, which came just one day apart, show that federal officials are not solely focused on hospitals.
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” OCR Director Jocelyn Samuels said in a prepared statement.
Read Next: OCR to Begin Audits in 2016