New York Presbyterian Hospital & Columbia University Pay $4.8 Million to Settle Alleged HIPAA Violations
On May 7, 2014, the Department of Health and Human Services ("HHS"), New York-Presbyterian Hospital ("NYP") and Columbia University ("CU") agreed to collectively pay $4.8 million to settle charges of alleged violations of the HIPAA Privacy and Security Rule marking the largest HIPAA settlement to date.
OCR initiated an investigation of NYP and CU after receiving a joint breach report in September 2010 regarding the disclosure of the electronic protected health information ("ePHI") of 6,800 individuals. Due to a lack of technical safeguards, protected health information including patient status, vital signs, medications, and laboratory results were made publically accessible using Internet search engines.
At the close of the investigation, OCR determined that neither NYP nor CU had conducted an accurate and thorough risk analysis or developed an adequate risk management pan. OCR further determined that NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
In addition the $4.8 million settlement (NYP to pay $3.3 million and CU to pay $1.5 million), both parties will also be required to implement a substantive corrective action plan to correct deficiencies in their HIPAA compliance programs including:
• Undertaking a thorough risk analysis;
• Developing and implementing a risk management plan;
• Reviewing and revising policies and procedures on information access management and device and media controls;
• Training staff that have access to ePHI; and
• Providing progress reports
Notably, this settlement highlights the significance of conducting routine risk and vulnerability assessments, having adequate written policies in place, and conducting workforce training on HIPAA privacy and security policies. It is imperative that all covered entities and business associates proactively review the mandatory requirements under HIPAA and carefully evaluate and monitor to compliance.