According to a press release issued May 7, 2014, by the Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”), “Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date. . . . [OCR] initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.”

OCR’s investigation revealed that the HIPAA breach occurred “when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.”

OCR also found that neither NYP nor CU “had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.” Further, NYP had “failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.”

Again, according to the press release, NYP has paid OCR a monetary settlement of $3,300,000, and CU has paid a monetary settlement of $1,500,000, with both entities agreeing to a substantive corrective action plan (“CAP”), “which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.”

This settlement underscores exactly what we at EMR Legal preach to our clients, seminar attendees, and workshop participants:

1. Complete your gap analysis and then risk analysis.
2. Implement reasonable and appropriate security measures.
3. Implement and policies and procedures (implement the required policies and procedures, address the addressable policies and procedures, and consider whether you need to implement other policies and procedures not even mentioned in HIPAA or its implementing regulations).
4. Enforce your policies and procedures according to your required Sanction Policy.
5. Train your workforce.
6. Keep all of your written documentation of HIPAA compliance for at least six (6) years.

If you need help in avoiding HIPAA violations, order from VeteransPress.com our Gap Analysis and Risk Analysis toolkits, The Complete HIPAA Policies and Procedures Guide by Jonathan P. Tomes with Richard D. Dvorak and yours truly, Alice M. McCart, with accompanying HIPAA Compliance Sample Policies and Procedures CD, and Your Happy HIPAA Book, in which to file in one handy place all of your written HIPAA compliance documentation.