Largest Ever HIPAA Fine Comes Down Hard on Two New York Hospitals

08 May 2014 Health Care Law Today Blog

New York-Presbyterian Hospital (NYP) will pay $3.3 million and Columbia University (CU) will pay $1.5 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments totaling $4,800,000 are the largest HIPAA settlement to date. In addition to the payment of this significant fine, NYP and CU have agreed to implement a substantial corrective action plan under the NYP Resolution Agreement and CU Resolution Agreement, which includes the following obligations:

  1.       Conduct a thorough risk analysis;
  2.       Develop and implement a risk management plan and a process for evaluating environmental and operational changes;
  3.       Review and revise policies and procedures on information access management and device and media controls;
  4.       Comply with the evaluation standard; and
  5.       Develop a privacy and security awareness training program. 

Although NYP and CU are separate covered entities, they participate in a joint arrangement whereby CU faculty serve as attending physicians at NYP. Under this arrangement, NYP and CU operate a shared data network and shared network firewall that is administered by employees of both entities. 

The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet. In response to this complaint, NYP and CU submitted a joint breach report in September 2010 related to the disclosure of ePHI of 6,800 individuals, including patient status, vital signs, medications and lab results. Following this submission, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) began its investigation of both hospitals. 

OCR’s investigation revealed the following that the breach occurred when a CU-employed physician, who developed applications for both NYP and CU, attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Due to a lack of technical safeguards, the deactivation caused ePHI to be accessible on internet search engines. 

OCR findings focused on the inadequacy of risk assessment and risk management at NYP and CU. Prior to the breach, neither NYP nor CU made efforts to assure that the server was secure and that it contained adequate software protections. Neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.  Neither entity developed an adequate risk management plan that addressed potential threats and hazards to the security of ePHI. In addition, NYP failed to implement appropriate policies and procedures to authorize access to its databases and failed to comply with its own policies on information access management.

Key takeaways:

  •          Joint information technology arrangements create a shared burden among participating entities to address the risks to protected health information.
  •          Data security should be central to how health care organizations manage their information systems.

As is customary in OCR settlements, neither NYP nor CU admitted liability, and OCR explicitly stated that the signed resolution agreements do not represent a concession by the agency that the entities were not in violation of HIPAA and were not liable for civil monetary penalties.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services