Thursday, May 8, 2014

Data Breach Results in $4.8 Million HIPAA Settlements

New York and Presbyterian Hospital New York and Presbyterian Hospital (NYP) has agreed to pay OCR $3,300,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, and will adopt a corrective action plan to evidence their remediation of these findings.  Read the Resolution Agreement

HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”): 
  • a. NYP impermissibly disclosed the ePHI of 6,800 patients to Google and other Internet search engines when a computer server that had access to NYP ePHI information systems was errantly reconfigured. 
  • b. NYP failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI. 
  • c. NYP failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems that were linked to NYP patient data bases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level. 
  • d. NYP failed to implement appropriate policies and procedures for authorizing access to its NYP patient data bases, and it failed to comply with its own policies on information access management. 

Columbia University Columbia University (CU) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, including a $1,500,000 monetary settlement and corrective action plan to address deficiencies in its HIPAA compliance program.  Read the Resolution Agreement

HHS’ investigation indicated that the following conduct occurred (“Covered 
Conduct”):  

  • a. CU failed to conduct an accurate, and thorough risk analysis that incorporates all IT equipment, applications and data systems utilizing ePHI, including the server accessing NYP-ePHI. 
  •  b. CU failed to implement processes for assessing and monitoring IT equipment, applications and data systems that were linked to NYP patient data bases prior to the breach incident and failed to implement security measures sufficient to reduce the risks of inappropriate disclosure to an acceptable level. 



No comments: