Yesterday, May 7th, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced that it had reached a $4.8 million settlement with a New York hospital and university for failing to secure thousands of patients’ electronic health information held on their network. The $4.8 million settlement is the largest settlement to date to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement underscores the importance conducting adequate risk assessments, taking appropriate security measures, limiting access to protected health information, and providing appropriate training to all members of the workforce.

The hospital and university are separate covered entities, each subject to HIPAA, that participate in a joint arrangement whereby the university’s faculty members serve as physicians at the hospital. The settlement stems from a September 2010 joint breach report submitted by the university and hospital following the exposure of 6,800 patients’ records, including patient status, vital signs, medications, and lab test reports.

An investigation revealed that the breach was caused when a physician employed by the university, who developed applications for both entities, attempted to deactivate a personally-owned computer server on a shared network linking the hospital’s patient information systems. Because of a lack of required technical safeguards, the deactivation of the server resulted in health information being accessible on Google and other internet search engines. The breach was discovered when an individual filed a complaint after finding health information of a deceased partner, a former patient of the hospital, on the internet.

In addition to the impermissible disclosure of health information, OCR found that: (1) neither entity made efforts prior to the breach to assure the server was secure with appropriate software protections; (2) neither entity conducted an accurate risk analysis or developed an adequate risk management plan that addressed potential threats to the security of health information; and (3) the hospital failed to implement or comply with appropriate policies and procedures for authorizing access to databases.

The hospital will pay the majority of the settlement, $3.3 million, with the university paying $.15 million. In addition to the settlement, the entities agreed to a substantive three year corrective action plan (CAP), which requires: conducting a risk analysis, developing a risk management plan (subject to OCR approval), revising policies and procedures (subject to OCR approval), providing enhanced training to all workforce members, reporting to OCR after any failure to comply with updated policies, and proving progress reports. A breach of a CAP may result in imposition of civil money penalties pursuant to OCR’s expanded authority under the Omnibus Rule.