New York-Presbyterian Hospital and Columbia University have reached a $4.8 million settlement with the Office for Civil Rights at HHS after 6,800 patients’ records. The breach included the release of ePHI that included patients’ vital signs, medications and lab test results were exposed to the internet. This settlement amount marks the largest Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement to date.

Background

The hospital and the university are separate-covered entities that operate a shared data network linked to the hospital’s information system. The two organizations submitted a joint breach report when they both received a complaint from an individual who had found a deceased partner’s patient information from the hospital online on Sept. 27, 2010.

An investigation of the breach found that a physician employed by the university who had developed applications for both the hospital and the university “attempted to deactivate a personally owned computer server on the network.” Due to a lack of technical safeguards, the deactivation of the server caused electronic protected health information (ePHI) to be accessible through Google searches and other internet search engines. The U.S. Department of Health & Human Services Office for Civil Rights (OCR) alleged that neither the Hospital nor the University had conducted an adequate risk analysis that identified all systems that had access to the ePHI nor had either implement adequate plans, policies and procedures related to authorizing access to the databases.

Settlement Terms

New York-Presbyterian Hospital will pay $3.3 million of the total settlement amount; Columbia University will pay the other $1.5 million. This combined payment is the largest HIPAA settlement to date. In addition, both organizations agreed to prepare a “substantive corrective action plan” that includes “undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.”

To date, the Office for Civil Rights has seen 985 reports of breaches accounting for the exposure of 31.3 million records.

Other Cases

The breach at New York-Presbyterian Hospital and Columbia is not an isolated incident. In April 2014, health care companies Concentra Health Services and QCA Health Plan Inc. agreed to pay the government nearly $2 million collectively after unencrypted laptops containing ePHI were stolen. ORC alleged, among other things, that Concentra identified in 2008 that the lack of encryption on its laptops, desktop computers, medical equipment, tablets, and other devices containing ePHI was a “critical risk.” ORC further alleged that although Concentra had begun the process of encryption, its efforts were "incomplete and inconsistent over time." ORC allegations against QCA were similar in that ORC did not believe that QCA implemented security management policies and procedures designed to prevent, detect, contain, and correct security violations.  

In addition to the fine, both organizations are now required to submit annual reports to HHS regarding their compliance with a corrective action plan.

What Now?

It is crucial that healthcare organizations make data security a top priority within their information systems. Below are a few ways to provide better patient data protection from firm partner Carmin D. Grandinetti.

5 Ways to Provide Better Patient Data Protection

  1. Identify your potential risks and vulnerabilities to the integrity of your data.
  2. Revise your security policies to address the uncovered vulnerabilities to the integrity of your data.
  3. Conduct risk assessments regularly and assure that your employees and providers are complying with existing security policies with periodic audits.
  4. Develop a mobile device policy that not only protects the data on the device if it is lost but is transparent to the users. If a policy is difficult to implement or interferes with the users’ ability to perform their work, the risks that the policy will not be followed will only increase.
  5. Educate your employees and providers to recognize applications, mobile devices and medical equipment that collects, contains, or transmits patient information. In addition, explain the reasons for having the security policies in place.