$4.8 million HIPAA settlement

The U.S. Department of Health and Human Services (HHS) announced that it reached its largest HIPAA settlement to date with New York and Presbyterian Hospital (NYP) and Columbia University, following an investigation into the September 2010 joint breach report by the entities.  The settlement includes monetary payments of $4.8 million.

NY and Columbia are separate covered entities that had a shared affiliation and shared network links to NYP patient systems containing ePHI.  When a physician attempted to deactivate a personal computer server on that network, due to the lack of safeguards, ePHI became accessible on the internet.

The breach resulted in the disclosure of ePHI of 6,800 patients.  The HHS Office of Civil Rights (OCR), in its follow up investigation found the data security lacking.  In HHS’s press release regarding the settlement, Christina Heide, Acting Deputy Director of Health Information Privacy for OCR stated that, “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

During its investigation, the Office of Civil Rights (OCR) discovered that prior to the HIPAA breach nothing was done to ensure the security of the server or that there was appropriate software protection.   An “accurate and thorough” risk analysis was not done and an “adequate” risk management plan had not been developed by either entity as required by the HIPAA Security Rule.   OCR also found that NYP failed to implement HIPAA Security policies and procedures for authorizing access to its databases and failed to comply with policies on information access management.


Speak Your Mind