On May 7, 2014, HHS OCR announced a pair of resolution agreements with New York Presbyterian Hospital (NYP) and Columbia University (CU) totaling $4.8 million dollars—the highest settlement amount to date. These resolution agreements make it clear that organizations must be able to propose steps to analyze security risks for ePHI as specified by HIPAA and plan strategies to manage identified risks.
Pursuant to 45 C.F.R. §§ 164.308(a)(1)(i)(ii)(A) and (B), an organization must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:
(i) ensure the confidentiality, integrity, and availability of ePHI created, received, maintained, and/or transmitted;
(ii) protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
(iii) protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required;
(iv) ensure compliance by its workforce.
By way of background, NYP and CU are separate covered entities participating in a joint arrangement in which CU faculty members serve as attending physicians at NYP under the affiliation name “New York Presbyterian Hospital/Columbia University Medical Center”. The two entities operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network allows access to NYP patient information systems containing ePHI.
The NYP and CU resolution agreements with HHS OCR stem from a joint breach report submitted by the entities on September 27, 2010 regarding the disclosure of the ePHI of 6,800 individuals. The breach occurred when a CU employed physician, who developed applications for both NYP and CU, attempted to deactivate a personally-owned computer server on to the network containing NYP ePHI. This resulted in the availability of patient information on Internet search engines. NYP and CU learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former NYP patient, on the Internet. Patient information affected included patient status, vital signs, medications, and laboratory results.
HHS OCR’s investigation of NYP and CU began on November 5, 2010 and indicated:
NYP impermissibly disclosed the ePHI of 6,800 patients to Google and other Internet search engines when a computer server that had access to NYP ePHI information systems was errantly reconfigured;
NYP and CU failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI;
NYP and CU failed to implement process for accessing and monitoring all IT equipment, applications, and data systems that were linked to NYP patient databases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level; and
NYP failed to implement appropriate policies and procedures for authorizing access to its NYP patient database, and it failed to comply with its own policies on information access management.
In addition to payments from NYP ($3.3 million dollars) and CU ($1.5 million dollars), both entities must comply with a corrective action plan (CAP). As to corrective action:
NYP shall modify its existing risk analysis process, as well as develop and implement a risk management plan;
NYP shall develop an enhanced privacy and security awareness program;
CU shall conduct a thorough risk analysis, as well as develop and implement a risk management plan;
CU shall review and revise internal policies and procedures on Information Access Management;
CU shall develop a privacy and security awareness training program;
NYP and CU shall review and revise its respective policies and procedures on device and media controls; and
NYP and CU shall each implement a process for evaluating any environmental or operational changes that affect the security of their respective ePHI
The CAP for each entity is for a 3-year time period. Both entities must submit the documentation required under its obligations for review and approval by HHS OCR before implementation. In addition, each entity must submit a report to HHS OCR regarding reportable events, implementation status, and compliance with the CAP.
HHS OCR’s recent HIPAA enforcement history demonstrates that it intends to enforce the HIPAA risk analysis and mitigation requirements under the Security Rule. Following data breach reports to HHS OCR, organizations are often asked to provide a copy of their most recent risk analysis and mitigation plan related specifically to the facts of the incident, or their most recent analysis and plan in their entirety. In addition, there has been additional attention paid to risk analysis with the Office of the National Coordinator for Health Information Technology (ONC) release of its Security Risk Assessment Tool in March of 2014 (blogged about here). OCR also recently announced its preparation for the next round of HIPAA audits, which likely will focus on HIPAA requirements covered entities are most “unaware” of, including the risk analysis requirement (blogged about here).
Timely and thorough security risk analysis and mitigation is an OCR hot button. Entities must review their current risk analysis and mitigation plan to determine whether potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI is assessed and mitigated.