While most healthcare providers know to pay close attention to the HIPAA rules when setting up their information technology systems, recent events have demonstrated that this close scrutiny should also be applied to computer reconfigurations and other IT system changes. According to the Department of Health and Human Services Office for Civil Rights (“OCR”), a “reconfiguration” of a computer server involving two healthcare providers caused the health information of 6,800 patients to be disclosed to Internet search engines. The healthcare providers, New York-Presbyterian Hospital and Columbia University Medical Center, each entered into a settlement and a Corrective Action Plan with OCR requiring payment of $4.8 million to OCR.
According to OCR, the hospitals failed to conduct an accurate and thorough risk analysis that incorporates all information technology (“IT”) equipment, applications, and data systems utilizing electronic protected health information (“ePHI”). Additionally, they failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems that were linked to their patient databases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. The hospitals also failed to implement appropriate policies and procedures for authorizing access to their patient databases, and they failed to comply with their HIPAA security policies on information access management.
Under the HIPAA Security Rule, most healthcare providers are required to conduct a risk analysis of, among other things, their IT equipment. Healthcare providers are also required to implement HIPAA security policies and procedures to reduce their risk of a potential HIPAA violation and vulnerabilities in their IT systems. Whenever a change is made to a healthcare provider’s IT systems, a new risk analysis should be conducted to identify any potential risk of improper disclosure of ePHI as a result of the change. Any such risk must be eliminated or sufficiently reduced prior to implementing the change to avoid a violation of HIPAA and the costly penalties that go along with it.