The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced its largest settlement to date—$4.8 million—under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. New York Presbyterian Hospital (NYP) and Columbia University (CU) agreed to pay $3.3 million and $1.5 million, respectively, for their failure to secure electronic protected health information (ePHI) on their shared network.
OCR initiated an investigation in Nov. 2010 after NYP and CU jointly reported a breach that exposed ePHI of 6,800 NYP patients to Internet searches via Google and other search engines. The breach occurred when a physician who was employed by CU and developed applications for both NYP and CU attempted to deactivate a personally-owned computer server that had access to ePHI on the network. The investigation indicated that the computer server was errantly reconfigured and that neither NYP nor CU took steps to assure the security of the server and the use of appropriate software protection.
OCR once again placed particular emphasis on risk analysis, consistent with a long line of OCR resolution agreements and pronouncements, as well as the recent issuance of the Security Risk Assessment Tool. OCR faulted both NYP and CU for their failure to conduct accurate and thorough risk analysis of all IT equipment, applications, and data systems utilizing ePHI and for their related failure to develop an adequate risk management plan to protect the security of ePHI.
A warning to those in joint compliance arrangements
This settlement also serves as a warning that covered entities who share ePHI platforms or functions may also share potential liability for noncompliance. NYP and CU are separate covered entities that engage in joint arrangements, including service by CU’s physician faculty members as attending physicians at NYP. The hospital and university operate a shared data network linked to NYP’s patient information systems and jointly administer a shared network firewall. In the press release, Christina Heide of OCR observed that:
“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information. Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”
OCR’s press release is available at the U.S. Department of Health and Human Services' website, which includes links to both Resolution Agreements.
Trending towards additional and more aggressive scrutiny
With the HIPAA Omnibus Rule firmly in place, OCR has been imposing progressively more frequent and more stringent fines in its HIPAA settlements. This is the fifth HIPAA resolution agreement announced by OCR in less than five months, and follows closely on the heels of OCR’s April 22 announcement of two settlements based on failure to encrypt stolen laptops, resulting in settlements totaling nearly $2 million. Business associates are now subject to the HIPAA Privacy and Security Rules and potential penalties for noncompliance. Covered entities and business associates will face additional scrutiny with OCR’s upcoming HIPAA audits. Furthermore, an expanding array of potential enforcers, including the Federal Trade Commission (FTC), state attorneys general, and class action plaintiffs, in addition to OCR stand ready to pounce on any data breach or any real or perceived shortcoming in data security or privacy.
For more information on these developments and on some action steps of particular importance, please read our previous Alert "HIPAA covered entities and business associates face plethora of cyber security enforcers." A related consideration is that failure to conduct adequate risk analysis would prevent an eligible hospital or eligible professional from satisfying meaningful use standards and could subject a healthcare provider to denial or return of incentive payments, or even potential false claims exposure or exclusion from federal healthcare programs.
Covered entities and business associates would be well advised to heed the advice of OCR Director Leon Rodriguez, who warned in Dec. 2013 that:
“As we say in health care, an ounce of prevention is worth a pound of cure. That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities and business associates of all sizes need to give priority to securing electronic protected health information.”
For more information, please contact one of the attorneys listed below.