On May 07, the U.S. Department of Health and Human Services (HHS) announced that New York-Presbyterian Hospital (NYP) and its affiliate, Columbia University Medical Center (CU), have paid a total of $4.8 million to settle charges that they violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to secure thousands of patients' electronic protected health information (ePHI). HHS's press release noted that this is the largest HIPAA settlement to date.
NYP and CU participate in a joint arrangement in which faculty
members of CU serve as attending physicians at NYP, and the two
entities jointly operate and administer a shared data network and a
shared network firewall. In September 2010, NYP and CU reported to
HHS that the ePHI of 6,800 patients had been accidentally made
accessible on the internet and indexed by search engines.
The investigation by HHS's Office for Civil Rights (OCR) found
that the breach resulted from a CU physician's technical error
and a lack of proper technical safeguards. NYP and CU were also
found not to have conducted proper risk analyses or to have adopted
appropriate policies and procedures for access to their data
network, among other problems.
NYP and CU shared the cost of the settlement, with NYP paying OCR
$3.3 million and CU paying $1.5 million. Both entities also agreed
to a corrective action plan, including conducting risk analyses,
creating risk management plans, revising policies and procedures,
and training staff.
"When entities participate in joint compliance arrangements,
they share the burden of addressing the risks to protected health
information," said Christina Heide, Acting Deputy Director of
Health Information Privacy for OCR, in HHS's press release.
"Our cases against NYP and CU should remind health care
organizations of the need to make data security central to how they
manage their information systems."
The data breach was discovered online by the partner of a former
patient of NYP. NYP and CU notified affected individuals and media
outlets at the time, as HIPAA requires, and there was no indication
that any of the ePHI was accessed or used inappropriately.
Nonetheless, as discussed
here and
here, HHS seems increasingly determined to make examples of
healthcare providers that, in its view, are falling short in HIPAA
compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.