HHS Task Force Announcement and $3.9 HIPAA Settlement Focus Attention on IT Security

A$3.9 million settlement arising from a potential HIPAA breach and an announcement regarding a U.S. Department of Health and Human Services Task Force emphasize the risks to the privacy and security of patients’ health information.

Feinstein Institute for Medical Research, a biomedical research institute based in New York, agreed to the settlement which includes a corrective action plan after a laptop was stolen from an employee’s car, according to an HHS Office for Civil Rights (OCR) March 17 press release. “This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research,” HHS said. The settlement is the result of an investigation following the organization’s filing of a breach report concerning the 2012 theft of the laptop, which reportedly held about 13,000 patients’ and research participants’ health information. OCR asserted the organization failed to have adequate policies and procedures and safeguards with regard to laptops.

Just a day earlier, HHS had also announced membership of the Health Care Industry Cybersecurity Task Force which includes government and private sector leaders. The Task Force will seek “the best ways organizations of all types are keeping data and connected medical devices safe and secure” and report to Congress within the next year before the Task Force’s term ends in March 2017. The Task Force arises out of the Cybersecurity Information Sharing Act of 2015 and will also develop materials to help organizations ensure security of health information.