Another HIPAA Breach, Another Lesson

On Wednesday, May 7th, the Office of Civil Rights (“OCR”) for the Department of Health and Human Services announced another HIPAA settlement for a breach of patient information.  In this most recent settlement, New York and Presbyterian Hospital (“NYPH”) and Columbia University (“CU”) were jointly fined $4.8 million.

NYPH and CU operate a joint arrangement whereby CU faculty members serve as attending physicians at NYPH facilities.  As part of the joint arrangement, NYPH and CU maintained a shared data network and shared network firewall.  The breach, which was self-reported, occurred when a CU physician attempted to deactivate a personally owned computer server.  The deactivation did not occur as planned and electronic protected health information (“ePHI”) ended up being freely accessibly by internet search engines.

However, the story did not end there.  When OCR investigated the incident, it turned out that neither NYPH nor CU had performed appropriate risk analyses nor taken steps to ensure the security of their servers.  The lack of appropriate policies and procedures resulted in a failure to adequately protected the ePHI.

In addition to paying the combined $4.8 million fine ($3.3M for NYPH and $1.5M for CU), both entities had to enter into corrective action plans with OCR.  The contents of the plans are not surprising, though both focus on requirements under the HIPAA Security Rule.

One of the real takeaways from the settlement is OCR’s continued use of settlements to teach lessons to covered entities and business associates.  In this instance, OCR took the opportunity to focus upon the necessity of performing a risk analysis and then using that analysis to implement necessary and appropriate security measures.  When taking a step back, this settlement should not be overly surprising.  The OCR, in conjunction with the Officer of the National Coordinator for Health IT, released a risk analysis tool in March.

The combination of these actions emphasizes the need and importance for a risk analysis to be performed.  If a risk analysis is not performed, or not taken seriously, then this settlement helps show the potential consequences.  As a bottom line, compliance is also the path of least resistance and danger, even though compliance is not always the area with the highest level of importance.

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Health IT, HIPAA, HITECH and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s