On May 7, 2014, the US Department of Health and Human Services Office of Civil Rights (OCR) announced settlements with two New York-based hospitals totaling $4.8 million for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlements related to the hospitals’ failure to secure the electronic protected health information (ePHI) of thousands of patients held on their networks and are the latest example of OCR’s increased enforcement action.

The two hospitals, New York-Presbyterian Hospital (Presbyterian) and Columbia University (Columbia), which participate in a joint arrangement allowing Columbia faculty members to serve as attending physicians at Presbyterian, were the subject of investigation following their submission of a joint breach report to OCR in September, 2010. As part of their joint arrangement, the hospitals operate a shared data network, administered by employees of both entities, which links to Presbyterian patient information systems containing ePHI.  The breach occurred when a physician employed by Columbia attempted to deactivate a personal computer server that was on the shared network and contained Presbyterian patient ePHI. The improper deactivation of the server resulted in ePHI being accessible through Internet search engines. Presbyterian and Columbia reported the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

As part of their investigation, OCR also determined that neither hospital had conducted a thorough risk analysis to determine all systems accessing the shared data network and that neither hospital had an adequate risk management plan to address the potential threats to ePHI. Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, noted that entities participating in joint compliance arrangements “share the burden of addressing the risks to protected health information,” and that the cases against the hospitals should “remind health care organizations of the need to make data security central to how they manage their information systems.”

Presbyterian has paid OCR a settlement of $3.3 million, while Columbia has paid $1.5 million. In addition to the monetary penalties, both hospitals agreed to substantive corrective action plans, which include requirements for the hospitals to undertake a risk analysis, develop a risk management plan, revise policies and procedures, and complete staff training.

OCR’s settlements with Presbyterian and Columbia come one week after the agency announced settlements with two health care entities totaling close to $2 million for violations of the Privacy and Security Rules. The two companies, Concentra Health Services and QCA Health Plan, Inc., were the subject of separate OCR investigations initiated following reports of breaches of ePHI by the entities to OCR. Both breaches were the result of the thefts of unencrypted laptops containing ePHI. Concentra agreed to pay OCR $1.725 million and to adopt a corrective action plan to ensure that sufficient protections are put into place to safeguard ePHI. QCA agreed to a fine of $250,000 and to provide OCR with a risk management plan including additional risk-limiting security measures to secure QCA’s ePHI.

OCR has substantially increased its HIPAA enforcement efforts in recent years. The Health Information Technology for Economic and Clinical Health Act (HITECH), as implemented by the Omnibus HIPAA Rule issued on January 25, 2013 (available at 78 Fed. Reg. 5566), increased the potential civil monetary penalties that OCR could impose on Covered Entities — health care providers, health plans, and health care clearinghouses — and their Business Associates — entities that create, receive, maintain or transmit Protected Health Information for or on behalf of Covered Entities — for violating HIPAA. The Director of the OCR, Leon Rodriguez, has been quoted as saying the Omnibus Rule strengthened OCR’s ability to “vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”

In order to mitigate the risk of a potential breach, it is critical that Covered Entities and their Business Associates conduct a thorough risk analysis and develop risk management plans to address the potential threats and hazards to the security of ePHI. The risk analysis should frequently be reviewed and updated to account for changes in technology and/or new risks and risk management plans should be modified accordingly. Covered Entities and their Business Associates should also implement policies and procedures addressing workforce member access to databases and network security and should ensure that all employees and workforce members with access to ePHI are properly trained on the policies and procedures. As OCR’s latest settlement indicates, failure to take these steps can result in severe financial penalties.