Another HIPAA Breach, Another Lesson

MattFisherOCR’s Continued Use of Settlements

By Matt Fisher
Twitter: @matt_r_fisher

On Wednesday, May 7th, the Office of Civil Rights (“OCR”) for the Department of Health and Human Services announced another HIPAA settlement for a breach of patient information. In this most recent settlement, New York and Presbyterian Hospital (“NYPH”) and Columbia University (“CU”) were jointly fined $4.8 million.

NYPH and CU operate a joint arrangement whereby CU faculty members serve as attending physicians at NYPH facilities. As part of the joint arrangement, NYPH and CU maintained a shared data network and shared network firewall. The breach, which was self-reported, occurred when a CU physician attempted to deactivate a personally owned computer server. The deactivation did not occur as planned and electronic protected health information (“ePHI”) ended up being freely accessibly by internet search engines.

However, the story did not end there. When OCR investigated the incident, it turned out that neither NYPH nor CU had performed appropriate risk analyses nor taken steps to ensure the security of their servers. The lack of appropriate policies and procedures resulted in a failure to adequately protected the ePHI.

In addition to paying the combined $4.8 million fine ($3.3M for NYPH and $1.5M for CU), both entities had to enter into corrective action plans with OCR. The contents of the plans are not surprising, though both focus on requirements under the HIPAA Security Rule.

One of the real takeaways from the settlement is OCR’s continued use of settlements to teach lessons to covered entities and business associates. In this instance, OCR took the opportunity to focus upon the necessity of performing a risk analysis and then using that analysis to implement necessary and appropriate security measures. When taking a step back, this settlement should not be overly surprising. The OCR, in conjunction with the Officer of the National Coordinator for Health IT, released a risk analysis tool in March.

The combination of these actions emphasizes the need and importance for a risk analysis to be performed. If a risk analysis is not performed, or not taken seriously, then this settlement helps show the potential consequences. As a bottom line, compliance is also the path of least resistance and danger, even though compliance is not always the area with the highest level of importance.

About the author:  Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA.  Mat advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.  This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.