Once again the US Department of Health and Human Service (HHS) Office for Civil Rights (OCR) proves how serious it is about enforcing HIPAA privacy rules. In the largest HIPAA settlement since the law’s inception, Columbia University (CU) and New York Presbyterian Hospital (NYP) have agreed to a combined monetary payment of $4,800,000.00 for a failure to secure thousands of patients’ electronic protected health information that was stored on their network. A joint breach report dated September 27, 2010, launched the OCR investigation that led to the settlement. Columbia University and New York Presbyterian Hospital agreed to a fine of $4,800,000.00.
CU and NYP are large, respected institutions with a wide variety of resources to maintain HIPAA compliance, and yet they still fell prey to this significant oversight. The two institutions have a joint arrangement where CU Medical Center faculty serve as attending physicians at NYP, and together the entities operate and administer a shared network and firewall. According the investigation, the breach occurred when a CU physician “attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.” The investigation further revealed that neither CU nor NYP had conducted adequate risk assessments or made the appropriate efforts to assure data security on their servers.
Not only did the breach result in a substantial monetary penalty for CU and NYP, but they broke the trust of their patients by not adequately protecting their patients’ ePHI. Imagine having your or your loved ones’ private medical information available to anyone that has access to a search engine. In fact, the inappropriate disclosure of patient information was first brought to CU and NYP’s attention by an individual who was able to find their deceased partner’s ePHI on the internet.
“Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.” In addition to the settlement, both entities have agreed to “a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.” This should serve as a reminder to not become complacent even if you or your organization already have HIPAA policies and procedures in place; continual assessment and risk analysis is required to keep pace with the rapidly evolving and expanding ways in which we share and store ePHI. In the words of Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.” Avoid the substantial costs and hassle by making sure you and your organization take HIPAA compliance and data security seriously.
The Columbia University Resolution Agreement may be found at: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/columbia-university-resolution-agreement.pdf
The New York and Presbyterian Hospital Resolution Agreement may be found at: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/enforcement/examples/ny-and-presbyterian-hospital-settlement-agreement.pdf
Follow this link to view the original story posted by HHS.gov: www.hhs.gov/news/press/2014pres/05/20140507b.html.