HIPAA Audit: OCR Is On The Move
Neglecting and not complying with HIPAA rules are certain to attract enormous penalties. Proof of this is the latest hefty HIPAA penalty from the Federal Regulators. This large settlement totaling $4.8 million with New York-Presbyterian Hospital and Columbia University, involved the breach of unsecured patient data on a network that affected about 6,800 patients, and included the disclosure of electronic personal health information, patient status, vital signs, medications and laboratory results.
With the Columbia University faculty members serving as attending physicians at NY Presbyterian, the entities refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center”, and operate a shared data network and a shared network firewall administered by employees of both entities. OCR investigations revealed that the shared network links to NY Presbyterian patient information systems containing electronic protected health information.
Christina Heide, acting deputy director of health information privacy for OCR, emphasizes that it is imperative for entities participating in joint compliance arrangements to share the burden of addressing the risks to protected health information. However, NYP and CU failed to make data security central, and failed to implement appropriate policies and procedures for authorizing access to its databases. The entities learned of the breach after receiving a complaint from an individual who found the ePHI of the individual’s deceased partner, a former patient at NY Presbyterian, on the Internet.
Further OCR investigations found that the breach occurred when a physician employed by the university who developed applications for both NY Presbyterian and Columbia University attempted to deactivate a personally owned computer server on the network containing information on hospital patients. However, owing to the lack of necessary technical safeguards, the deactivation of the server resulted in ePHI being accessible on Internet search engines.
Besides the prohibited disclosure of ePHI on the Internet, OCR’s investigations revealed that no efforts were made by NY Presbyterian or Columbia University to ensure that the server was secure with appropriate software protections. Neither of the entities carried out an accurate and thorough risk analysis that identified all systems that access NYP ePHI.
OCR investigations thus concluded that neither entity had developed an adequate risk management plan to address the potential threats and hazards to the security of ePHI. NY Presbyterian failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
The breach resulted in NY Presbyterian paying the OCR a monetary settlement of $3.3 million, and Columbia University paying $1.5 million. Being one of the heftiest penalties yet, security expert Brian Evans, principal consultant of Tom Walsh Consulting, says that he expects to see these kinds of settlements as the OCR has repeatedly stated that they are stepping up their enforcement actions.
A number of data breaches have been reported in the recent past, and every breach incident has a costly lesson for organizations that do not take HIPAA compliance seriously. It is important to remember that the smallest negligence or failure in this regard can threaten the very survival of a business. Although, both New York-Presbyterian Hospital and Columbia University have agreed to a corrective action plan that includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports; such an incident could have been completely averted if an integrated security and compliance solution like Aegify SecureGRC, Security Posture Management, and Aegify Risk Management had been adopted. With its comprehensive security capabilities, SecureGRC can make HIPAA compliance unimaginably simple.
Related posts
