New York-Presbyterian and Columbia University Hospitals have agreed to a $4.8 million settlement with the U. S. Department of Health and Human Services Office of Civil Rights (OCR) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
The settlements resulted from a failure to secure ePHI – electronic protected health information – of thousands of patients held on the hospitals’ networks, business briefing service Mondaq reports. The two hospitals participate in a joint arrangement allowing Columbia faculty members to serve as attending physicians at Presbyterian. The investigation occurred after the hospitals submitted a joint breach report to OCR in September 2010. A physician employed by Columbia attempted to deactivate a personal computer server on the shared network, which contained Presbyterian patient ePHI. Because of the improper deactivation, ePHI for 6,800 individuals was accessible through Internet search engines. The information included patient status, vital signs, medications, and laboratory results.
According to OCR, neither hospital had conducted a thorough risk analysis to determine all systems accessing the shared data network, nor did either have an adequate risk management plan to address potential threats to ePHI, according to Mondaq. Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, said the hospitals “share the burden of addressing the risks to protected health information.” “Data security” must be “central” to how health care organizations manage their information systems, she said.
Presbyterian is to pay $3.3 million of the settlement to OCR, with Columbia paying $1.5 million, according to Mondaq. In addition, the hospitals agreed to extensive corrective action plans, including the development of a risk management plan, revised policies and procedures, and complete staff training.