On May 7, 2014, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced settlements with two New York hospitals that included the largest monetary payments to date under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). OCR’s investigation followed a joint breach report filed on Sept. 27, 2010, by New York-Presbyterian Hospital (NYP) and Columbia University (CU), indicating that the electronic protected health information (ePHI) of 6,800 individuals became accessible via the internet.

NYP and CU participate in a joint arrangement whereby CU faculty physicians serve as attending physicians at NYP. Thus, to facilitate patient care and access to ePHI, NYP and CU jointly operate and administer a shared patient data network and firewall system. OCR’s investigation found the point of compromise to be a CU faculty physician who reconfigured a personal computer that functioned as a server for the network and contained NYP patient ePHI. This reconfiguration unleashed the ePHI on the internet, causing the ePHI to be searchable via common search engines such as Google. An individual found the ePHI of a deceased partner who was a former NYP patient and filed an internal complaint with NYP.

Prior to the data system breach, OCR’s investigation found that NYP and CU failed to conduct an adequate risk analysis of their health information technology equipment, applications and data systems that contained ePHI. Further, NYP and CU failed to monitor and implement sufficient security measures to reduce data security risks. Finally, NYP failed to implement appropriate privacy and security policies and procedures that restricted authorized access to its data network and failed to comply with its own policies on ePHI access.

In the largest HIPAA settlement to date, NYP agreed to pay OCR $3,300,000, while CU agreed to pay OCR $1,500,000 In addition, both CU and NYP signed resolution agreements that impose additional obligations on each entity through corrective action plans that included a risk analysis, risk management plan, updated policies and procedures, employee training and reporting to OCR.

With the increasing adoption of electronic health records and shared data networks, we expect that OCR will continue to investigate and penalize providers for breaches of ePHI. Thus, covered entities should aim to avoid becoming the next settlement milestone and proactively address risks to ePHI posed by joint data-sharing arrangements. OCR suggests that the key for covered entities is to make “data security central to how they manage their information systems.”