Local: (805)-371-3680 | Toll Free: (800) 240-CHIV
Facebook
Twitter
LinkedIn
YouTube
Chivaroli Insurance Services
  • INSURANCE COVERAGE
    • Healthcare Professional Liability
    • Directors’ & Officers’ Liability
    • Commercial Property
    • Managed Care / Billing / Miscellaneous
    • Employment Practices Liability
    • Difference in Conditions
    • Regulatory Proceedings Errors & Omissions
    • Fiduciary Responsibility
    • Property Terrorism
    • Commercial General Liability
    • Commercial Crime
    • Commercial Automobile
    • Stop Loss Coverage
    • Representations & Warranties
    • Business Owners Package
    • Security & Privacy (Cyber Liability)
    • Workers Compensation
    • Home / Auto / Valuables / Umbrella
  • OTHER SERVICES
    • Credentialing Requests
    • Consulting Services
    • Alternatives
    • Risk Management
    • Wholesale Brokerage
  • RESOURCES
    • Healthcare Resources
    • Insurance Resources
    • Terms & Definitions
  • NEWS
  • ABOUT
  • CONTACT

Largest Ever HIPAA Fine Comes Down Hard On Two New York Hospitals

May 29, 2014Chivaroli and Associates Insurance ServicesArticle Archives

Publication Date: 5/16/2014

Source: Mondaq Business Briefing

By Ms Asha Natarajan

New York-Presbyterian Hospital (NYP) will pay $3.3 million and Columbia University (CU) will pay $1.5 million to settle allegations that they failed to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments totaling $4,800,000 are the largest HIPAA settlement to date. In addition to the payment of this significant fine, NYP and CU have agreed to implement a substantial corrective action plan under the NYP Resolution Agreement and CU Resolution Agreement, which includes the following obligations:

Conduct a thorough risk analysis;
Develop and implement a risk management plan and a process for evaluating environmental and operational changes;
Review and revise policies and procedures on information access management and device and media controls;
Comply with the evaluation standard; and
Develop a privacy and security awareness training program.

Although NYP and CU are separate covered entities, they participate in a joint arrangement whereby CU faculty serve as attending physicians at NYP. Under this arrangement, NYP and CU operate a shared data network and shared network firewall that is administered by employees of both entities.

The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet. In response to this complaint, NYP and CU submitted a joint breach report in September 2010 related to the disclosure of ePHI of 6,800 individuals, including patient status, vital signs, medications and lab results. Following this submission, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) began its investigation of both hospitals.

OCR’s investigation revealed the following that the breach occurred when a CU-employed physician, who developed applications for both NYP and CU, attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Due to a lack of technical safeguards, the deactivation caused ePHI to be accessible on internet search engines.

OCR findings focused on the inadequacy of risk assessment and risk management at NYP and CU. Prior to the breach, neither NYP nor CU made efforts to assure that the server was secure and that it contained adequate software protections. Neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. Neither entity developed an adequate risk management plan that addressed potential threats and hazards to the security of ePHI. In addition, NYP failed to implement appropriate policies and procedures to authorize access to its databases and failed to comply with its own policies on information access management.

Key takeaways:

Joint information technology arrangements create a shared burden among participating entities to address the risks to protected health information.
Data security should be central to how health care organizations manage their information systems.

As is customary in OCR settlements, neither NYP nor CU admitted liability, and OCR explicitly stated that the signed resolution agreements do not represent a concession by the agency that the entities were not in violation of HIPAA and were not liable for civil monetary penalties.

To make sure your business is properly protected, contact Chivaroli & Associates.

Tags: health information, HIPPA Fine, hospitals
Chivaroli and Associates Insurance Services
Chivaroli & Associates Insurance Services is a full-service brokerage and consulting firm that specializes in the custom design and placement of property and casualty insurance and alternative risk funding solutions for healthcare organizations.
Previous post Medical malpractice measure to be on Nov. 4 ballot Next post The revelation that someone was a patient does not constitute medical history

Related Articles

Hospitals Reconsider Charitable Care For Patients Unwilling to Conform

December 9, 2014Chivaroli and Associates Insurance Services

Hospitals Are Facing Cyber Threats

January 8, 2015Chivaroli and Associates Insurance Services

Hospitals’ Need For Sharing Cybersecurity Information

February 27, 2015Chivaroli and Associates Insurance Services

Sign up for News Updates

* = required field

Categories

  • Article Archives
  • General Article
  • Private
  • Uncategorized

Archives

  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • November 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • August 2019
  • July 2019
  • June 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • December 2017
  • November 2017
  • October 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • April 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014

Chivaroli and Associates Insurance Services is a full-service brokerage firm specializing in the custom-design and placement of insurance and alternative risk funding solutions for your healthcare organization.

Facebook
Twitter
LinkedIn
YouTube

Contact Us Today

Address:
200 North Westlake Blvd., Suite 101
Westlake Village, CA 91362
Phone:
805-371-3680
E-mail:
mail@chivarolitr.wpengine.com

Resources

Health Care
Insurance
Terms & Definitions
News
About

Policies

Cookie Policy
Disclaimer

Recent News

  • Lawmakers Seek New Limits to Travel Nurse Costs
  • Experts Predict Healthcare M&A Will Accelerate in 2023
  • Surveys Indicate a Persistent Hard Insurance Market
  • Doctors are Disappearing from Hospital ERs as Private Equity Cuts Costs
© 2023 All rights reserved. Powered By Insurance Agency Website by Stratosphere