New York-Presbyterian Hospital and Columbia University collectively have paid $4.8 million to the HHS Office for Civil Rights to settle charges of violating the HIPAA privacy and security rules.

The hospital paid $3.3 million and the university paid $1.5 million, with both agreeing to implement corrective action plans. The combined total payment is a record, but not the largest single financial penalty issued to a covered entity. That distinction goes to Cignet Health in 2011, which was fined $4.3 million for multiple violations of the privacy rule, refusing to respond to OCR’s request for records and failing to cooperate in a breach investigation for more than a year.

New York-Presbyterian and Columbia University Medical Center are affiliated with Columbia faculty members serving as attending physicians at NYP. They operate a shared data network and network firewall administered by employees of both organizations, according to an OCR statement. On Sept. 27, 2010, the organizations submitted a joint breach report to OCR after learning that protected health information on 6,800 patients was accessible on Google and other Internet search engines. The compromised data included patient status, vital signs, medications and lab reports.

“The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI,” according to OCR. “Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on the Internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the Internet.”

OCR’s investigation found that both organizations failed to ensure the server was secure and neither entity had conducted an appropriate risk analysis of all systems accessing NYP data. NYP further did not implement appropriate policies and procedures for authorizing access to databases, and did not comply with its own policies on access management, according to the resolution agreement the organization signed with OCR.

Similarly, Columbia failed to conduct appropriate risk analysis of information systems using ePHI, did not adequately assess and monitor IT systems linked to NYP and failed to implement security measures to lower risk to an acceptable level, according to its resolution agreement.

As is customary in OCR settlements, the covered entities did not admit liability and OCR said the resolution agreements were not a concession by the agency that the entities were not in violation of HIPAA and were not liable for civil money penalties.

The NYP resolution agreement/corrective action plan is here and the Columbia agreement and plan is here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access