A user error that made the personal health information of 6,800 Columbia University Medical Center patients accessible on internet search engines will cost the hospital and its partner Columbia University Medical Center $4.8 million.

According to the Department of Health and Human Services (HHS), the settlement with the government is the largest ever for a disclosure of electronic protected health information (ePHI) as defined by the 1996 Health Insurance Portability and Accountability Act (HIPAA).

The release of the protected health information was discovered when an individual found private health information about his deceased partner, a former New York Presbyterian Hospital patient, on the internet and complained. An investigation revealed that a physician employed by Columbia University Medical Center who developed applications had attempted to deactivate a personally-owned computer server on the New York Presbyterian Hospital network and in the process, accidentally placed the ePHI it contained outside of the network’s firewall where it could be accessed through common search engines like Google.

New York Presbyterian Hospital and Columbia University Medical Center alerted HHS to what had happened. Self-disclosure of mistakes can limit fines, but in this case, the government found that many steps that should have both anticipated the type of mistake the physician made and created technical safeguards to make such a mistake impossible had not been taken. This included conducting a thorough risk analysis of all systems that accessed the hospital’s ePHI and then assuring that servers with ePHI on them were secure and had appropriate software protections. In addition, the government found the hospital’s policies and procedures for authorizing access to its databases wanting, and that it didn’t even comply with the policies it did have in authorizing access to ePHI.

Under the settlement agreement, New York Presbyterian Hospital will pay the Office of Civil Rights $3,300,000 and Columbia University Medical Center will pay the Office of Civil Rights $1,500,000. In addition, both providers have agreed to implement “corrective action plans.” This includes risk analysis, risk management plan development, revised policies and procedures, mandatory staff and physician training, and regular progress reports sent to the government on their efforts.

The case reaffirms that HHS and the Office of Civil Rights have a high expectation for provider organizations of all sizes to conduct adequate risk analysis when it comes to securing ePHI. In March, HHS’s Office of the National Coordinator, in collaboration with the HHS Office for Civil Rights (OCR) and the HHS Office of the General Counsel (OGC), released a downloadable Security Risk Assessment Tool (SRA Tool) to help providers of all sizes — but particularly smaller providers without the resources of major hospital systems — conduct a risk analysis and better protect their ePHI. The tool is at: http://www.healthit.gov/providers-professionals/security-risk-assessment