In the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date, two New York hospitals have agreed to pay $4.8 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their shared network.

The U.S. Department of Health & Human Services Office for Civil Rights (OCR) investigated New York-Presbyterian Hospital (NYP) and Columbia University (CU) after the organizations reported a breach involving 6,800 individuals’ ePHI, including patient status, vital signs, medications, and laboratory results.

The organizations are separate covered entities for HIPAA purposes that operate a shared data network linked to the hospital’s information system.

OCR reported that the breach occurred when a CU physician attempted to deactivate a personally owned computer server on the network that contained NYP patients’ ePHI. OCR alleged that “a lack of technical safeguards” resulted in the ePHI being exposed to the Internet and accessible through search engines like Google. The organizations submitted a joint breach report to OCR on September 27, 2010 after receiving a complaint from an individual who had found a deceased partner’s patient information on the Internet.

OCR also contended that, prior to the breach, neither organization made efforts to ensure that the server was secure and that it contained appropriate software protections. OCR further alleged that neither entity had conducted an accurate and thorough risk analysis to identify all systems that access NYP’s ePHI or developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. OCR also concluded that NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

Of the $4.8 million, NYP agreed to pay $3.3 million and CU agreed to pay $1.5 million. Both organizations also agreed to prepare a “substantive corrective action plan” that includes “undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.”

Access the NYP Hospital Resolution Agreement.

Access the CU Resolution Agreement.

Copyright 2014, American Health Lawyers Association, Washington, DC. Reprint permission granted.