New York-Presbyterian and Columbia Hospitals to Pay Record HIPAA SettlementMay 14, 2014
The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced settlements with two New York hospitals for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
The settlements – totaling $4.8 million – arise from the hospitals' failure to secure the electronic protected health information (ePHI) of thousands of patients held on their networks, Mondaq reports. The two hospitals, New York-Presbyterian Hospital (Presbyterian) and Columbia University (Columbia), participate in a joint arrangement allowing Columbia faculty members to serve as attending physicians at Presbyterian. They were investigated after submitting a joint breach report to OCR in September 2010. The breach occurred when a physician employed by Columbia attempted to deactivate a personal computer server on the shared network, which contained Presbyterian patient ePHI. The improper deactivation resulted in ePHI being accessible through Internet search engines. The hospitals reported disclosure of ePHI for 6,800 individuals: the information included patient status, vital signs, medications, and laboratory results.
OCR determined that neither hospital had conducted a thorough risk analysis to determine all systems accessing the shared data network and that neither hospital had an adequate risk management plan to address the potential threats to ePHI, according to Mondaq. Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, said that those in a joint compliance arrangement "share the burden of addressing the risks to protected health information," and that health care organizations “need to make data security central to how they manage their information systems."
Mondaq reported that Presbyterian paid OCR a settlement of $3.3 million; Columbia paid $1.5 million. In addition, both hospitals agreed to substantive corrective action plans, including the development of a risk management plan and revised policies and procedures.