New York Health Organizations to Pay $4.8 Million HIPAA Fine

NewYork-Presbyterian Hospital will pay $3.3 million and Columbia University will pay $1.5 million to settle allegations that they failed to secure Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA).  The organizations disclosed to HHS’ Office of Civil Rights that a breach under HIPAA occurred when a Columbia physician deactivated a personally owned computer server on the network containing NewYork-Presbyterian’s electronic PHI (ePHI), which allowed the ePHI to become available on the Internet and accessible through search engines.  Neither organization made efforts before the breach to ensure that the server was secure and contained appropriate software protections.  In addition, neither NewYork-Presbyterian nor Columbia had conducted an accurate risk analysis that identified all systems that access the ePHI.

Stolen Computer HIPAA Penalties

Concentra Health Services and QCA Health Plan Inc. are each paying fines under HIPAA in matters involving stolen computers containing PHI.  Concentra is paying $1.7 million and QCA is paying $250,000. In both instances, the computers were unencrypted.