On Wednesday, New York Presbyterian Hospital and Columbia University agreed to settle claims with the Department of Health and Human Services (HHS) Office for Civil Rights for a collective $4.8 million stemming from a data breach in 2010. This matter, along with other similar cases, should serve as an important warning to healthcare providers and other HIPAA covered entities that personal health information (PHI) of patients must be protected, especially in the electronic age. If a data network is breached and PHI is made available, HHS will use its enforcement powers to assess punitive penalties and institute corrective actions in order to achieve compliance.
Under the terms of the settlement, New York Presbyterian will pay $3.3 million while Columbia University will pay $1.5 million. Both entities must also institute corrective action plans. The settlement represents the highest combined total financial penalty issued to an entity covered by HIPPA. As part of the settlement, the entities must undergo a risk analysis, develop a risk management plan, revise policies and procedures, train staff and provide progress reports.
The investigation and subsequent settlement were brought on by a data breach incident in 2010 where the shared data system for New York Presbyterian and Columbia University was breached and the records of 6,800 patients were made available on the internet. The data breach occurred when a physician attempted to deactivate a personally owned computer server on the network. The Office for Civil Rights alleged that that due to a lack of technical safeguards, deactivation of the server resulted in PHI being accessible via internet search engines.
If you are a HIPAA covered entity or business associate and need assistance with complying with or understanding the HIPAA Privacy and Security Rules, please contact an experienced healthcare attorney at Wachler & Associates at (248) 544-0888 or via e-mail at wapc@wachler.com.