$4.8M HIPAA fine sets new record

The Department of Health and Human Services has laid down the gauntlet when it comes to security of patient data. New York-Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) together have agreed to pay a record-breaking $4.8 million to settle alleged HIPAA violations after the electronic protected health information (ePHI) of 6,800 patients wound up on Google in 2010.   

An investigation by the Office for Civil Rights found that the HIPAA breach transpired when a Columbia physician, who developed applications for both organizations, attempted to deactivate a personally-owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on the internet--the entities learned of the breach after receiving a complaint from someone who saw the ePHI of their deceased partner, a former NYP patient, online.  

In addition to the ePHI disclosure, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections, according to an HHS release. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, acting deputy director of health information privacy for OCR. “Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems.”

NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.