Contact Us

PW Case Review Form
*    Denotes required field.

   * First Name 

   * Last Name 

   * Email 


   * Please describe your case:

What injury have you suffered?

For verification purposes, please answer the below question:

No Yes, I agree to the Parker Waichman LLP disclaimers. Click here to review.

Yes, I would like to receive the Parker Waichman LLP monthly newsletter, InjuryAlert.

please do not fill out the field below.

New York-Presbyterian and Columbia Hospitals to Pay Record HIPAA Settlement

May 14, 2014

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced settlements with two New York hospitals for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The settlements – totaling $4.8 million – arise from the hospitals' failure to secure the electronic protected health information (ePHI) of thousands of patients held on their networks, Mondaq reports. The two hospitals, New York-Presbyterian Hospital (Presbyterian) and Columbia University (Columbia), participate in a joint arrangement allowing Columbia faculty members to serve as attending physicians at Presbyterian. They were investigated after submitting a joint breach report to OCR in September 2010. The breach occurred when a physician employed by Columbia attempted to deactivate a personal computer server on the shared network, which contained Presbyterian patient ePHI. The improper deactivation resulted in ePHI being accessible through Internet search engines. The hospitals reported disclosure of ePHI for 6,800 individuals: the information included patient status, vital signs, medications, and laboratory results.

OCR determined that neither hospital had conducted a thorough risk analysis to determine all systems accessing the shared data network and that neither hospital had an adequate risk management plan to address the potential threats to ePHI, according to Mondaq. Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, said that those in a joint compliance arrangement "share the burden of addressing the risks to protected health information," and that health care organizations “need to make data security central to how they manage their information systems."

Mondaq reported that Presbyterian paid OCR a settlement of $3.3 million; Columbia paid $1.5 million. In addition, both hospitals agreed to substantive corrective action plans, including the development of a risk management plan and revised policies and procedures.

Parker Waichman Accolades And Reviews Best Lawyers Find Us On Avvo