Healthcare News & Insights

What the largest HIPAA settlement yet will mean for your facility

The feds are continuing down the warpath against healthcare facilities with shoddy online security and health information protection — and the stakes keep getting higher. 

163751742The Department for Health and Human Services (HHS) Office for Civil Rights (OCR) has been stepping up its HIPAA enforcement.

Judging from the record-setting $4.8 million settlement over the joint data breach from New York Presbyterian Hospital (NYP) and Columbia University Medical Center (CU), it looks like the consequences for not securing your protected health information (PHI) are rising along with the agency’s vigilance.

A record-setting screw up

NYP and CU have a joint agreement where the two facilities shared a data network and CU faculty members also serve as attending physicians at NYP. Back in September 2010, the facilities filed a joint breach report letting the OCR know that a technological goof had compromised the PHI of nearly 7,000 patients.

According to the HHS report, when a CU physician tried to deactivate a personally-owned computer server while on NYP’s network, he unknowingly made the PHI accessible through internet searches because of a “lack of technical safeguards.”

Information like individual’s patient status, medications, laboratory results and even some social security numbers were exposed, according to FierceHealthcareIT’s report on the breach.

In HHS’ report on the investigation, the agency makes a point of listing all the breach-prevention and information security methods NYP and CU didn’t take to secure their PHI. It noted that neither facility had taken steps to secure the server, conducted accurate or thorough risk assessments, implemented any policies or procedures regarding authorized database access or developed an adequate risk assessment plan to address the potential threats or PHI vulnerabilities.

As a result of the investigation and the court proceedings that followed, NYP paid $3.3 million and CU paid $1.5 million in a settlement, along with agreeing to correct their security deficiencies and provide progress reports to HHS.

A sign of settlements to come?

Even though this case doesn’t even come close to topping the list of OCR’s biggest breaches, it still resulted in the largest settlement for HIPAA violations to date, Modern Healthcare reports.

What’s more worrisome is that some healthcare and IT security professionals believe this case is a sign of future IT security enforcement. More and more breaches are leading to bigger and bigger settlements, according to Adam Greene,  a former senior health information-technology and privacy specialist at the OCR.

Greene believes this case may be an example of the OCR’s new tactic to scare other healthcare facilities into HIPAA compliance: putting a fear of the feds into hospitals’ wallets. And it looks like he may have a point. As Modern Healthcare notes in its article, during the first five years of HIPAA, there were no settlements. But over the years, the number of big HIPAA settlements has steadily increased.

Hospital CEOs will want to make sure they’re taking all the necessary steps to be HIPAA compliant, if they want to avoid a bill like NYP and CU’s. Be sure your facility is conducting regular risk assessments, have proper protection software and are implementing appropriate database policies to ensure your health information is truly secure.

After all, it’s not just the OCR you’ll have to worry about nosing around your PHI security anymore. Recently, the Federal Trade Commission has also thrown its hat into the ring of PHI/IT security. With so many government agencies acting as PHI security enforcers, the stakes are higher than ever.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.