New York-Presbyterian Hospital and Columbia University Medical Center have agreed to pay the HHS Office for Civil Rights a $4.8 million joint settlement over a 2010 data breach, Healthcare IT News reports (McCann, Healthcare IT News, 5/8).
Background on Data Breach
Employees at both organizations manage a shared data network and network firewall, according to an OCR statement. CUMC faculty members serve as attending physicians at New York-Presbyterian (Goedert, Health Data Management, 5/8).
On Sept. 27, 2010, the two entities submitted a joint data breach report after they received a complaint from an individual who found a deceased partner's patient records on the Internet (Conn, Modern Healthcare, 5/7).
Following an investigation, HHS determined that the medical records of about 6,800 of New York-Presbyterian's patients were accessible through online search engines. HHS noted that the hospital was not aware of the breach prior to the complaint (AP/Sacramento Bee, 5/7).
The breach occurred after a physician from CUMC deactivated a server on Presbyterian Hospital's internal data network.
The compromised patient records included:
- Lab reports;
- Patient status; and
- Vital signs (Health Data Management, 5/8).
Details of Settlement
New York-Presbyterian Hospital has agreed to pay $3.3 million and CUMC has agreed to pay $1.5 million. The joint settlement is the largest HIPAA monetary fine to date, Healthcare IT News reports (Healthcare IT News, 5/7).
According to an HHS statement, each entity also has agreed to develop a "substantive corrective action plan" that includes:
- Creating a risk management plan;
- Providing progress reports;
- Revising policies and procedures;
- Implementing staff training; and
- Undertaking a risk analysis (Modern Healthcare, 5/7).
However, the entities did not admit liability in the breach and are not liable for related civil money fines under the settlement, Health Data Management reports. In addition, OCR said the settlements were not a concession by the agency that the entities were found to be in violation of HIPAA (Health Data Management, 5/8).
Rachel Seeger, OCR's senior health information privacy outreach specialist, said, "The message here is to get your house in order" (Healthcare IT News, 5/8).
Meanwhile, Presbyterian Hospital spokesperson Doug Levy on Wednesday said that there was no proof at the time of the data breach or in the time following that any of the medical records were accessed or used inappropriately.
Levy noted that the hospital is committed to handling patient privacy and medical records with the "greatest respect and integrity" and is taking additional corrective measures as required under its agreement (AP/Sacramento Bee, 5/7).