$4.8M HIPAA fine sets new record
The Department of Health and Human Services has laid down the gauntlet when it comes to security of patient data. New York-Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) together have agreed to pay a record-breaking $4.8 million to settle alleged HIPAA violations after the electronic protected health information (ePHI) of 6,800 patients wound up on Google in 2010.
An investigation by the Office for Civil Rights found that the HIPAA breach transpired when a Columbia physician, who developed applications for both organizations, attempted to deactivate a personally-owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on the internet--the entities learned of the breach after receiving a complaint from someone who saw the ePHI of their deceased partner, a former NYP patient, online.
In addition to the ePHI disclosure, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections, according to an HHS release. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, acting deputy director of health information privacy for OCR. “Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems.”
NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.