The Department of Health and Human Services has issued its largest HIPAA enforcement action to date, entering settlements totaling $4.8 million with two New York organizations tied to the same 2010 breach. The incident, which involved unsecured patient data on a network, affected about 6,800 patients.
The settlements with New York-Presbyterian Hospital and Columbia University cite, among other factors, the lack of a risk analysis and failure to implement appropriate security policies.
In a joint statement provided to Information Security Media Group, the two New York organizations say, "[We] are committed to providing not only the highest levels of medical care to our patients but also handling their personal and medical data with the greatest respect and integrity. For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question, as well as undertaking substantial efforts concerning the protection of privacy and security of patient data. We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS."
Commenting on the size of the penalty in the settlement, security expert Brian Evans, principal consultant of Tom Walsh Consulting, notes: "I would expect to see these kinds of settlements since OCR has repeatedly stated that they are stepping up their enforcement actions."
HHS' Office for Civil Rights initiated its investigation after the two New York organizations submitted a joint breach report, dated Sept. 27, 2010, regarding the disclosure of the electronic personal health information, including patient status, vital signs, medications and laboratory results.
Columbia University faculty members serve as attending physicians at NY Presbyterian. The entities refer to their affiliation as "New York Presbyterian Hospital/Columbia University Medical Center."
NY Presbyterian and Columbia University operate a shared data network and a shared network firewall administered by employees of both entities. The shared network links to NY Presbyterian patient information systems containing electronic protected health information, according to OCR.
The OCR investigation revealed that the breach was caused when a physician employed by the university who developed applications for both NY Presbyterian and Columbia University attempted to deactivate a personally owned computer server on the network containing information on hospital patients.
Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on Internet search engines. The entities learned of the breach after receiving a complaint from an individual who found the ePHI of the individual's deceased partner, a former patient at NY Presbyterian, on the Internet.
In addition to the impermissible disclosure of ePHI on the Internet, OCR's investigation found that neither NY Presbyterian nor Columbia University made efforts before the breach to ensure that the server was secure and that it contained appropriate software protections, OCR says.
"Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI," OCR says in a statement. "As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI."
NY Presbyterian failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management, OCR says.
"When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information," says Christina Heide, acting deputy director of health information privacy for OCR. "Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems."
NY Presbyterian has paid OCR a monetary settlement of $3.3 million, while Columbia University has paid $1.5 million. Also, both entities agreed to a corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports, OCR reports.
The hospital, according the corrective action plan, has agreed to "review, and to the extent necessary, revise its policies and procedures related to the use of hardware and electronic media including, but not limited to laptops, servers, tablets, mobile phones, USB drives, external hard drives, DVDs and CDs that may be used to access, store, download, or transmit NYP ePHI. The policies shall also address security responsibilities, including disposal and reuse of personal devices and media and regular compliance monitoring."
Evans, the consultant, says there are a few lessons that other healthcare entities can learn from OCR's latest settlements.
"Healthcare organizations need to accept that the environment has changed and must recognize that they operate in a new paradigm - one that demands more effort and accountability with respect to information risk management," he says. "It is not about regulatory compliance as much as it is about managing information risk.
"Organizations that attempt minimum compliance with HIPAA often fail to manage information risk because form is stressed over substance. Organizations need to understand that security is an ongoing cost of doing business and not a one-time expense. They must factor the cost of maintaining an information security program into their business model and not treat it as an 'add-on.'"
Additionally, Evans says OCR settlements such as these catch the attention of other healthcare organizations for improving their own compliance efforts. "Penalties for noncompliance with the HIPAA Security rule can have a positive influence on the tone, priorities and culture of an organization," he says. "So, I anticipate enforcement actions becoming the expected outcome when non-compliance is discovered."
Until this $4.8 million settlement was announced, OCR largest HIPAA non-compliance enforcement action was a $4.3 civil penalty against Cignet Health in 2011. In that case, the organization refused to provide patients with their medical information and then refused to cooperate with investigators, OCR says.
In April, OCR entered into HIPAA settlements totaling nearly $2 million with two covered entities, Concentra Health Services and QCA Health Plan Inc., each tied to relatively small breaches involving stolen unencrypted laptop computers (see 2 Stolen Laptops Lead to Penalties).