- HIPAA Update - http://blogs.hcpro.com/hipaa -

Two organizations fined $4.8 million for HIPAA violations

[1]OCR recently slapped two organizations with the largest monetary penalty for HIPAA violations to date: $4.8 million. New York and Presbyterian Hospital (NYP) and Columbia University (CU) submitted a joint breach report to OCR in September 2010 following the unauthorized disclosure of ePHI of 6,800 patients, according to an HHS press release. [2]

NYP and CU are separate covered entities (CE) that are often referred to jointly as New York Presbyterian Hospital/Columbia University Medical Center because many CU faculty members serve as attending physicians at NYP. The two have a shared data network and shared network firewall, according to HHS.

A CU physician accidentally made the ePHI of NYP patients publically searchable on the internet after deactivating a personally-owned computer server on the network, leading to the breach. The OCR investigation revealed that the server lacked appropriate safeguards.

Additionally, NYP and CU failed to take the necessary precautions to ensure the security of the server prior to the breach. Neither CE had recently performed a risk analysis and therefore did not have a risk management plan. NYP lacked necessary database access policies and procedures and did not comply with its information access management policies, according to HHS.

Each CE paid a portion of the total settlement, with NYP to paying $3.3 million and CU paying $1.5 million. Each CEs agreed its own corrective action plan (CAP) that highlights the need for performing a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and updating OCR as needed.

View the CAP for NYP. [3]

View the CAP for CU. [4]