NewYork-Presbyterian Hospital and Columbia University, both in New York City, have paid a combined $4.8 million to settle charges of a HIPAA violation following a 2010 data breach, the largest HIPAA settlement to date.
NewYork-Presbyterian and Columbia University are separate entities, but have an affiliation under which Columbia professors work as attending physicians at NewYork-Presbyterian, and through the affiliation the two organizations share a data network and firewall that links to NewYork-Presbyterian's patient records database.
According to an investigation by HHS' Office for Civil Rights, the 2010 breach occurred when a Columbia physician attempted to deactivate a personal computer that was connected to the NewYork-Presbyterian network and contained patient information. A lack of technical barriers then led to patients' health information being accessible through search engines.
The OCR alleged neither organization had conducted an adequate risk analysis of all of its IT systems and neither had an appropriate risk management plan. Additionally, NewYork-Presbyterian did not adequately secure its database or follow its own information access policies.
NewYork-Presbyterian paid $3.3 million and Columbia paid $1.5 million in the settlement, and both organizations have agreed to a corrective action plan.
More Articles on HIPAA:
5 Steps For HIPAA Compliance
8 Recent Lawsuits and Settlements Involving Hospitals
Concentra, QCA Health Plan HIPAA Settlements Emphasize HHS' Focus on Breach Risks in Unencrypted Laptops