On May 7, 2014, the Department of Health and Human Services (“HHS”) announced that NewYork-Presbyterian Hospital (“NYP”) and Columbia University (“CU”) agreed to collectively pay $4.8 million in the largest HIPAA settlement to date, to settle charges that they potentially violated the HIPAA Privacy and Security Rules.

According to HHS, NYP and CU operate a shared data network that links to patient information systems containing electronic protected health information (“ePHI”). The two entities submitted a joint breach report in September 2010 following the discovery that the ePHI of 6,800 individuals had been improperly disclosed due to a lack of technical safeguards, and was accessible to the public using Internet search engines. The ePHI included patient statuses, vital signs, medications and laboratory results.

Following the submission of the breach report, the HHS Office for Civil Rights (“OCR”) initiated an investigation and determined that neither entity had conducted an accurate and thorough risk analysis or developed an adequate risk management plan. OCR further concluded that NYP failed to implement appropriate policies and procedures for protecting its databases.

NYP agreed to pay $3.3 million and CU agreed to pay $1.5 million. In the resolution agreements, both entities also agreed to Corrective Action Plans that required each entity to:

  • undertake a thorough risk analysis;
  • develop and implement a risk management plan;
  • review and revise policies and procedures on information access management and device and media controls;
  • train staff that have access to ePHI; and
  • provide progress reports.

Additionally, CU must also “develop a process to evaluate any environmental or operational changes” that impact the security of the ePHI it maintains.

In announcing the settlement, Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, noted that NYP and CU share the joint compliance burden and encouraged other entities to “make data security central to how they manage their information systems.” This marks the fourth HIPAA settlement in 2014, bringing the combined total monetary penalties so far this year to more than $7 million.