January 27, 2022

Volume XII, Number 27

Advertisement
Advertisement

January 27, 2022

Subscribe to Latest Legal News and Analysis

January 26, 2022

Subscribe to Latest Legal News and Analysis

January 25, 2022

Subscribe to Latest Legal News and Analysis

January 24, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

New York Hospitals to Pay Record $4.8 Million for HIPAA (Health Insurance Portability and Accountability Act) Data Breach

In the largest Health Insurance Portability and Accountability Act (HIPAA) settlement to date, two New York hospitals have agreed to pay $4.8 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their shared network.

The U.S. Department of Health & Human Services Office for Civil Rights (OCR) investigated New York-Presbyterian Hospital (NYP) and Columbia University (CU) after the organizations reported a breach involving 6,800 individuals’ ePHI, including patient status, vital signs, medications, and laboratory results.

The organizations are separate covered entities for HIPAA purposes that operate a shared data network linked to the hospital’s information system.

OCR reported that the breach occurred when a CU physician attempted to deactivate a personally owned computer server on the network that contained NYP patients’ ePHI. OCR alleged that “a lack of technical safeguards” resulted in the ePHI being exposed to the Internet and accessible through search engines like Google. The organizations submitted a joint breach report to OCR on September 27, 2010 after receiving a complaint from an individual who had found a deceased partner’s patient information on the Internet.

OCR also contended that, prior to the breach, neither organization made efforts to ensure that the server was secure and that it contained appropriate software protections. OCR further alleged that neither entity had conducted an accurate and thorough risk analysis to identify all systems that access NYP’s ePHI or developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. OCR also concluded that NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

Of the $4.8 million, NYP agreed to pay $3.3 million and CU agreed to pay $1.5 million. Both organizations also agreed to prepare a “substantive corrective action plan” that includes “undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.”

Access the NYP Hospital Resolution Agreement.

Access the CU Resolution Agreement.

Copyright 2014, American Health Lawyers Association, Washington, DC. Reprint permission granted.

©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume IV, Number 133
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

The health industry is a complex system, and reimbursement is the lifeblood. Reduction in payments from governmental and commercial payors affects providers, suppliers, manufacturers, and all others across the health care continuum.

Regulatory approval and accreditation is the heart of the system. For many, delay in licensure and other regulatory approvals can threaten financing and corporate viability. Accreditation of residency training programs is essential to the vitality of academic medical centers and teaching hospitals.

Restructuring is a fact of life in this dynamic...

202-434-7324
Advertisement
Advertisement
Advertisement