Health Information Management

Two organizations fined $4.8 million for HIPAA violations

HIM-HIPAA Insider, May 12, 2014

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

by Jaclyn Fitzgerald, Editor

OCR recently slapped two organizations with the largest monetary penalty for HIPAA violations to date: $4.8 million. New York and Presbyterian Hospital (NYP) and Columbia University (CU) submitted a joint breach report to OCR in September 2010 following the unauthorized disclosure of ePHI of 6,800 patients, according to an HHS press release.
NYP and CU are separate covered entities (CE) that are often referred to jointly as New York Presbyterian Hospital/Columbia University Medical Center because many CU faculty members serve as attending physicians at NYP. The two have a shared data network and shared network firewall, according to HHS.
A CU physician accidentally made the ePHI of NYP patients publically searchable on the internet after deactivating a personally-owned computer server on the network, leading to the breach. The OCR investigation revealed that the server lacked appropriate safeguards.
Additionally, NYP and CU failed to take the necessary precautions to ensure the security of the server prior to the breach. Neither CE had recently performed a risk analysis and therefore did not have a risk management plan. NYP lacked necessary database access policies and procedures and did not comply with its information access management policies, according to HHS.
Each CE paid a portion of the total settlement, with NYP to paying $3.3 million and CU paying $1.5 million. Each CEs agreed its own corrective action plan (CAP) that highlights the need for performing a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and updating OCR as needed.
View the CAP for NYP.
View the CAP for CU.


Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular