e-mail Print Share

Data breach leads to HIPAA settlements

May 15, 2014

By Craig Palmer

Washington—This is the story of a breach of unsecured electronic protected health information, how it went down and payments of $4.8 million to settle potential HIPAA violations, the largest settlement in HIPAA history as of May 8, 2014.

Resolution agreements between the U.S. Department of Health and Human Services HHS Office for Civil Rights, New York and Presbyterian Hospital and the Trustees of Columbia University describe terms and conditions of the settlements but are neither admissions of liability by NYP or CU nor concessions by HHS that they are not in violation of HIPAA privacy and security rules.

All parties agree to the “factual background” described in the agreements: Sept. 27, 2010, notification from New York-Presbyterian Hospital and Columbia University Medical Center to the HHS Office for Civil Rights regarding a breach of ePHI and subsequent investigation regarding compliance with privacy and security rules promulgated by HHS pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996.

According to the Office for Civil Rights, the investigation revealed that the breach was caused when a Columbia-employed physician, who developed applications for both NYP and CU, tried to deactivate a personally-owned computer server on the network containing NYP patients’ electronic protected health information.

“Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines,” said the OCR news release. “The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former NYP patient, on the internet.”

OCR said the investigation found that neither HIPAA-covered entity made efforts prior to the breach to assure that the server was secure and contained appropriate software protections, neither had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI and neither had developed an adequate risk management plan that addressed the potential threats and hazards to the security of electronic protected health information.

NYP paid a monetary settlement of $3,300,000 and CU paid $1,500,000 with both entities agreeing to “substantive corrective action” plans to include risk analysis, risk management, revised policies and procedures, staff training and progress reports, OCR said.

The ADA Complete HIPAA Compliance Kit (J598) describes changes under the 2013 HIPAA omnibus final rule and offers tools to help dentists design and implement a comprehensive HIPAA compliance program. To purchase the kit visit ADAcatalog.org or call the ADA member service center at 1-800-947-4746.

A dental practice is covered by HIPAA if it sends a “covered transaction” in electronic form, such as submitting a claim to a dental plan, or if another party such as a clearinghouse sends an electronic covered transaction on behalf of the dental practice.