Largest HIPAA Settlement: $4.8 mil

medicaldollariStock_000021393857SmallHHS issued a press release on May 7, 2014 announcing settlements with two healthcare organizations.  Following submission of a joint breach report by New York and Presbyterian Hospital (NYP) and Columbia University (CU), the HHS Office of Civil Rights (“OCR”) investigated the disclosure of ePHI of 6,800 individuals, which included patient status, vital signs, medications, and laboratory results.  NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP.  The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.

In addition to the disclosure of ePHI, OCR’s investigation found that neither NYP or CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections; and neither entity had conducted a thorough risk analysis or had an adequate risk management plan.

NYP has paid $3.3 million and CU has paid $1.5 million, with both entities agreeing to a substantive corrective action plan.

HHS press release: http://www.hhs.gov/news/press/2014pres/05/20140507b.html

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.