New York Presbyterian Hospital (NYP) and Columbia University (CU) has agreed to a monetary settlement of $4.8M with the Office of Civil Rights (OCR), this being the most expensive Health Insurance Portability and Accountability Act of 1996 (HIPAA) violation thus far (May 2014) according to a statement by HHS. Prior to this most recent HIPAA violation, Cignet Health paid out $4.3M in 2011 as reported on the “Wall of Shame” breach list.
On September 27, 2010, NYP and CU jointly filed a breach report to (OCR), stating that 6,800 patient records with the patients’ status, vital signs, medications, and laboratory results were compromised.
OCR’s investigation concluded that a physician employed by CU who developed applications for both NYP and CU was the source of the breach. The physician attempted to deactivate a personally-owned computer server on the network containing NYP patient electronic patient health information (ePHI). Deactivation of the server resulted in ePHI being accessible on internet search engines. This could have been prevented through technical safeguards.
NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The complaint was filed by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.
After a three year investigation, OCR determined the following:
1. Lack of safeguards to ensure the server was secure
2. Neither entity had conducted an accurate and thorough risk analysis
3. Neither entity developed an adequate risk management plan
4. NYP failed to implement and comply with policies and procedures for accessing its database
“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”
NYP ($3.3M) and CU ($1.5) have paid a monetary settlement to OCR and have agreed to a significant corrective action plan including:
- Conducting a risk analysis
- Developing a risk management plan
- Revising policies and procedures
- Training staff
- Providing progress reports
At Delphiis, it is our experience that developing the security program with a strong risk management component is the essential first step to preventing a breach from occurring. Bringing in a partner who has expertise developing security programs should be considered.
The second step is conducting inventory of an organization’s assets and determine shared relationships where ePHI is co-managed. Conduct a risk analysis to measure risks associated with all of the co-managed relationships. Proceed to creating a remediation roadmap defining projects by level of risk, scope and budget, and deciding as a business organization how and when to remediate the findings.
The final step in this simple three pronged plan is to re-assess and report trends and performance metrics clearly and graphically to the C-suite. Communicating security is becoming more and more of a priority among healthcare leaders. The better the security department communicates, the better the department’s projects will be understood, budget allocated and resources assigned.