The New York-Presbyterian Hospital and the Columbia University Medical Center have agreed to pay the largest-ever HIPAA violation settlement, totaling $4.8 million, in response to a joint data breach report submitted by the affiliated healthcare institutions in 2010.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the settlement Wednesday, ending the government agency's investigation of the incident that reportedly exposed the electronic protected health information (ePHI) of 6,800 patients at the two New York-based hospitals.
According to an HHS statement, the incident occurred when a Columbia University physician attempted to deactivate a personally owned computer server that contained ePHI for New York-Presbyterian patients. Due to a "lack of technical safeguards," the deactivated server exposed patients' health records to Internet search engines. The incident went unnoticed until the partner of a deceased New York-Presbyterian patient discovered the information and filed a complaint.
HHS noted that neither hospital had applied the appropriate software controls to ensure the server's security, nor had they conducted a thorough risk analysis to identify all of the systems that accessed ePHI.
"As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI," said the HHS statement. "Lastly, [New York-Presbyterian] failed to implement appropriate policies and procedures for authorizing access to its databases, and failed to comply with its own policies on information access management."
As part of the settlement, New York-Presbyterian and Columbia University agreed to implement a number of prescriptive measures under the supervision of HHS officials, including conducting a risk analysis of all systems owned by New York-Presbyterian and its staff within 180 days, developing an organization-wide risk management plan within 90 days of completing its risk analysis, and implementing any HHS-recommended changes to said plan within 60 days.
HIPAA violations have come with increasingly large price tags since the adoption of the HITECH Act in 2009. The $4.8 million fine levied against the two New York hospitals narrowly beats out the former largest HIPAA settlement of $4.3 million dollars, which was assessed against Cignet Health, a Maryland-based provider, in 2011.
"When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information," said Christina Heide, deputy director of health information privacy for OCR. "Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems."