In connection with a data breach that impacted approximately 6,800 individuals, two New York healthcare organizations have entered into the largest settlement agreement to date for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). On May 7, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with New York and Presbyterian Hospital (NYP) and Columbia University (CU) for a combined total of $4.8 million in connection with a breach of patients’ electronic protected health information (ePHI) stored on the entities’ shared network.

Under a joint arrangement, CU faculty members serve as attending physicians at NYP, through an affiliation called the “New York Presbyterian Hospital/Columbia University Medical Center.” As a result of this arrangement, CU and NYP operate a shared data network (along with a shared firewall) that links CU with NYP patient information systems containing ePHI.

In September 2010, New York Presbyterian Hospital/Columbia University Medical Center submitted a joint breach report to OCR, after a CU physician attempted to deactivate a personally owned computer server on the organization’s network. Because the network lacked certain technical safeguards, the server’s deactivation caused ePHI (including patient status, vital signs, medications and laboratory results) to become generally accessible online. CU and NYP were initially informed of this breach after the partner of a former NYP patient found that patient’s information on the Internet.

OCR investigated the alleged breach and found that, in addition to the disclosure of ePHI, both CU and NYP failed to conduct an accurate, thorough risk analysis of all information technology equipment, applications and data systems using ePHI. Further, OCR found that both entities failed to implement appropriate security measures to reduce the risk of impermissible disclosure of ePHI on their networks. As a result, neither entity had developed an appropriate risk management plan to protect the security of ePHI.

Finally, OCR found that NYP did not have appropriate policies and procedures for authorizing access to databases containing patient information, and that the organization failed to comply with the policies that had been implemented for managing information access.

NYP paid a greater portion of the $4.8 million settlement agreement, totaling $3.3 million, and CU paid $1.5 million. Additionally, both entities entered into Corrective Action Plans (CAPs) with HHS, which will last for three years. The CAPs require each entity to (among other things) undertake a risk analysis, develop a risk management plan, revise policies and procedures on information access management and device and media controls, and develop a privacy and security awareness training program.

Joint Arrangements Mean Joint Liability

In connection with the investigation, OCR stressed that joint healthcare arrangements can result in liability for all covered entities involved. “When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” Christina Heide, OCR’s Acting Deputy Director of Health Information Privacy, said in a statement. “Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems.”

The New York Presbyterian Hospital/Columbia University Medical Center settlement was finalized just one month after HHS announced separate settlements with Concentra Health Services and QCA Health Plan, Inc., in connection with compliance actions involving unencrypted laptop computers and other mobile devices. These settlements should remind all covered entities of the importance of ensuring that all ePHI is stored as dictated by the HIPAA Security Rule, as both settling a breach and implementing remedial measures can be costly.