On May 07, the U.S. Department of Health and Human Services (HHS) announced that New York-Presbyterian Hospital (NYP) and its affiliate, Columbia University Medical Center (CU), have paid a total of $4.8 million to settle charges that they violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to secure thousands of patients’ electronic protected health information (ePHI). HHS’s press release noted that this is the largest HIPAA settlement to date.

NYP and CU participate in a joint arrangement in which faculty members of CU serve as attending physicians at NYP, and the two entities jointly operate and administer a shared data network and a shared network firewall. In September 2010, NYP and CU reported to HHS that the ePHI of 6,800 patients had been accidentally made accessible on the internet and indexed by search engines.

The investigation by HHS’s Office for Civil Rights (OCR) found that the breach resulted from a CU physician’s technical error and a lack of proper technical safeguards. NYP and CU were also found not to have conducted proper risk analyses or to have adopted appropriate policies and procedures for access to their data network, among other problems. 

NYP and CU shared the cost of the settlement, with NYP paying OCR $3.3 million and CU paying $1.5 million. Both entities also agreed to a corrective action plan, including conducting risk analyses, creating risk management plans, revising policies and procedures, and training staff.

“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, in HHS’s press release. “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

The data breach was discovered online by the partner of a former patient of NYP. NYP and CU notified affected individuals and media outlets at the time, as HIPAA requires, and there was no indication that any of the ePHI was accessed or used inappropriately. Nonetheless, as discussed here and here, HHS seems increasingly determined to make examples of healthcare providers that, in its view, are falling short in HIPAA compliance.