New York-Presbyterian Hospital (NYP) will pay $3.3 million and Columbia University (CU) will pay $1.5 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments totaling $4,800,000 are the largest HIPAA settlement to date. In addition to the payment of this significant fine, NYP and CU have agreed to implement a substantial corrective action plan under the NYP Resolution Agreement and CU Resolution Agreement, which includes the following obligations:
- Conduct a thorough risk analysis;
- Develop and implement a risk management plan and a process for evaluating environmental and operational changes;
- Review and revise policies and procedures on information access management and device and media controls;
- Comply with the evaluation standard; and
- Develop a privacy and security awareness training program.
Although NYP and CU are separate covered entities, they participate in a joint arrangement whereby CU faculty serve as attending physicians at NYP. Under this arrangement, NYP and CU operate a shared data network and shared network firewall that is administered by employees of both entities.
The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet. In response to this complaint, NYP and CU submitted a joint breach report in September 2010 related to the disclosure of ePHI of 6,800 individuals, including patient status, vital signs, medications and lab results. Following this submission, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) began its investigation of both hospitals.
OCR’s investigation revealed the following that the breach occurred when a CU-employed physician, who developed applications for both NYP and CU, attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Due to a lack of technical safeguards, the deactivation caused ePHI to be accessible on internet search engines.
OCR findings focused on the inadequacy of risk assessment and risk management at NYP and CU. Prior to the breach, neither NYP nor CU made efforts to assure that the server was secure and that it contained adequate software protections. Neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. Neither entity developed an adequate risk management plan that addressed potential threats and hazards to the security of ePHI. In addition, NYP failed to implement appropriate policies and procedures to authorize access to its databases and failed to comply with its own policies on information access management.
- Joint information technology arrangements create a shared burden among participating entities to address the risks to protected health information.
- Data security should be central to how health care organizations manage their information systems.
As is customary in OCR settlements, neither NYP nor CU admitted liability, and OCR explicitly stated that the signed resolution agreements do not represent a concession by the agency that the entities were not in violation of HIPAA and were not liable for civil monetary penalties.