Largest HIPAA Settlement: $4.8 mil

medicaldollariStock_000021393857SmallHHS issued a press release on May 7, 2014 announcing settlements with two healthcare organizations.  Following submission of a joint breach report by New York and Presbyterian Hospital (NYP) and Columbia University (CU), the HHS Office of Civil Rights (“OCR”) investigated the disclosure of ePHI of 6,800 individuals, which included patient status, vital signs, medications, and laboratory results.  NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP.  The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.

In addition to the disclosure of ePHI, OCR’s investigation found that neither NYP or CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections; and neither entity had conducted a thorough risk analysis or had an adequate risk management plan.

NYP has paid $3.3 million and CU has paid $1.5 million, with both entities agreeing to a substantive corrective action plan.

HHS press release: http://www.hhs.gov/news/press/2014pres/05/20140507b.html

 

The Office Workhorse is a Digital Machine

copyiStock_000004950258XSmall

And it is worth sanitizing.

On August 14, 2013, HHS announced a settlement with Affinity Health Plan, Inc. after investigating the finding of sensitive health data stored on copier hard drives.

photocopieriStock_000003018037XSmall

Affinity Health Plan, a not-for-profit managed care plan serving the New York metropolitan area, was informed by CBS Evening News that CBS had purchased a photocopier previously used by Affinity that contained confidential medical information on the hard drive.  Affinity turned around and reported this breach to the HHS Office for Civil Rights on April 15, 2010.  Affinity estimated that up to 344,579 individuals may have been affected by the breach.

OCR reports that its investigation revealed that Affinity impermissibly disclosed the protected health information of these individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.  Affinity and OCR negotiated a settlement, which included a $1.2 million payment and “a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all ePHI.”

See HHS press release: http://www.hhs.gov/news/press/2013pres/08/20130814a.html