It would be pretty unsettling if your patient status, vital signs, medications, and laboratory results were available for the world to see on Google, wouldn’t it? According to recent settlement agreements announced by the Department of Health and Human Services (“HHS”) on May 7, 2014, that’s exactly what happened when New York and Presbyterian Hospital (“Presbyterian”) and Columbia University (“Columbia”) suffered a data breach, and the covered entities are paying the price. Presbyterian agreed to pay $3.3 million in its settlement and Columbia agreed to pay $1.5 million in its settlement. The settlement agreements resolve alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) arising out of a breach of electronic protected health information (“ePHI”) that made the information of 6,800 individuals accessible via search engines, like Google.

The HHS Office for Civil Rights (“OCR”) began its investigation of Presbyterian and Columbia after receiving a joint notice of the breach back in 2010 and subsequently uncovered additional alleged violations of HIPAA. The entities filed a joint breach notice because, operating under an agreement whereby Columbia physicians acted as attending physicians at Presbyterian, they share a data network and a firewall. During its investigation, OCR discovered that the breach, caused by the deactivation of a server, was only the beginning of the entities’ compliance woes. OCR found that the entities’ servers lacked technical safeguards, which, had they been in place, would have prevented ePHI from being accessible from search engines. OCR also found that neither entity had made efforts to secure their servers before the breach, nor had they conducted a thorough enough risk analysis that would have enabled them to create an adequate risk management plan.

The magnitude of the settlements (HHS reported that the monetary payments of $4.8 million include the largest HIPAA settlement to date) shows the importance of technical safeguards and assessing vulnerability in preventing unauthorized access to PHI. The entities are learning this the hard way; in addition to the monetary settlements, Presbyterian and Columbia are also entering into a corrective action plan. As part of the plan, the entities will have to perform a risk analysis, develop a risk management plan, and provide ongoing reports to HHS, among other requirements. In announcing the settlement, Acting Deputy Director of Health Information Privacy for OCR Christina Heide said that the settlements “should remind health care organizations of the need to make data security central to how they manage their information systems.”

To read the HHS press release, click here.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Obermayer Rebmann Maxwell & Hippel LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.