This blog will address the many law suits that occurred because of HIPAA violations due to data security breaches. It will also take a look at the methods used by those who breach the data.
Due to the August 2009 Breach Notification Rule included in the Health Information Technology for Economic and Clinical Health Act, HIPAA-covered entities and associated businesses are required to provide notification following a data breach of protected health information. Groups reporting breaches that compromised the protected health information of 500 individuals or more must be posted by the Department of Health and Human Services. Since the 2009 rule, 489 HIPAA-covered entities have reported breaches involving 500 individuals or more.
New York Presbyterian Hospital (NYP) and Columbia University (CU) have recently agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date. It appears that with this judgment, many healthcare organizations are beginning to take patient identity management and security more seriously.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the protected health information of 6,800 individuals, including patient identity, status, vital signs, medications, and laboratory results.
NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.” NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing protected health information.
The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient protected health information. Because of a lack of technical safeguards, deactivation of the server resulted in the information being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the information of the individual’s deceased partner, a former patient of NYP, on the internet.
In addition to the impermissible disclosure of protected health information on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP health information. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of patients’ protected health information. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.
WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on (firstname.lastname@example.org)
U.S. Department of Health and Human Services. (2014, May 7). Data breach results in $4.8 million HIPAA settlements. Retrieved from http://www.hhs.gov/news/press/2014pres/05/20140507b.html