OCR March Madness

In January, I posted about the “Top Three HIPAA Lessons Learned in 2015”, citing the need to encrypt portable devices containing PHI as the number one lesson learned.  In March, the Office of Civil Rights (OCR) announced two new resolution agreements – both stemming from the loss of unencrypted laptops.  It appears that OCR is beginning to lose patience with covered entities who fail to encrypt portable devices and protect patient health data.  Both resolution agreements were notable in their own right.

  • North Memorial Health Care (March 16th) – This nonprofit healthcare system reached a resolution with OCR, agreeing to pay a settlement amount of $1.55 million.  OCR began investigating North Memorial after it reported the theft of an unencrypted laptop housing the health information of nearly 10,000 individuals.  Interestingly enough, North Memorial was not directly responsible for the breach.  The laptop was stolen from the locked car of an employee working for Accretive, North Memorial’s business associate.  Although it doesn’t appear that North Memorial’s covered conduct included their business associate’s loss of the laptop, OCR did determine that North Memorial failed to enter into a business associate agreement and, therefore, improperly shared the PHI of almost 300,000 individuals with Accretive.


  •  Feinstein Institute for Medical Research (March 17th) – The following day, OCR announced that it had reached a resolution agreement with Feinstein, a biomedical research institute.  In this case, OCR’s investigation was also prompted by the self-reporting of a stolen unencrypted laptop from a car.  OCR determined that Feinstein failed to do a security risk assessment, failed to put into effect policies to safeguard the laptop, and failed to encrypt the laptop, resulting in the improper disclosure of PHI for 13,000 individuals.  Feinstein settled with OCR for $3.9 million.  As can be seen below, this is the highest resolution settlement amount ever paid for the loss of an unencrypted portable device.


* Number of individuals affected reported by entity other than OCR.


Justin A. Pope, JD
Associate Risk Manager

Justin Pope joined PRMS in 2014. Mr. Pope is responsible for researching emerging legal issues, creating online risk management content, and providing advice to individual providers through the Risk Management Consultation Service.

As a law student, he focused primarily on international, administrative, and food law. During his final year at Howard, Mr. Pope gained additional insight into the FDA’s regulatory process while serving as a research assistant to his professor. He has also interned as a legal assistant for both the Ft. Monroe Garrison Office of the Staff Judge Advocate and the Office of the Naval Inspector General, opining on a variety of legal issues, including privacy law. Mr. Pope received his Bachelor of Arts degree in International Affairs from the University of Virginia and his Juris Doctor degree from the Howard University School of Law.

Categories: PRMS Blog