New York-Presbyterian and Columbia hospitals have paid a record total of $4.8 million to settle violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced last week. According to Mondaq.com, the hospitals had failed to secure the electronic protected health information (ePHI) of thousands of patients on their networks.
Due a joint arrangement between New York-Presbyterian Hospital and Columbia University, Columbia faculty are allowed to serve as attending physicians at Presbyterian. Under this arrangement, the two hospitals utilize a shared data network that links to Presbyterian patient information containing ePHI. According to Mondaq, the HIPAA violation occurred when Columbia physician tried to deactivate a personal computer server connected to the shared network. As a result, the ePHI of 6,800 individuals became accessible through Internet search engines. Presbyterian and Columbia said that this information included patient status, vital signs, medication and lab results.
The hospitals submitted a joint breach report to OCR in September 2010. OCR investigated the situation, and concluded that both hospitals had failed to conduct a thorough risks analysis to determine all systems that have access to the shared data network. The OCR also found that neither Columbia nor Presbyterian had a proper risk management plan to deal with the threats to ePHI. Parties that enter joint compliance arrangements “share the burden of addressing the risks to protected health information,” said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. Heide said the situation should “remind health care organizations of the need to make data security central to how they manage their information systems.”
Under the settlement, Presbyterian paid $3.3 million and Columbia paid $1.5 million. On top of these payments, the hospitals have both agreed to implement substantial corrective measures; this includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures and complete staff training, Mondaq reports.