NewYork-Presbyterian and Columbia University are separate entities, but have an affiliation under which Columbia professors work as attending physicians at NewYork-Presbyterian, and through the affiliation the two organizations share a data network and firewall that links to NewYork-Presbyterian’s patient records database.
According to an investigation by HHS’ Office for Civil Rights, the 2010 breach occurred when a Columbia physician attempted to deactivate a personal computer that was connected to the NewYork-Presbyterian network and contained patient information. A lack of technical barriers then led to patients’ health information being accessible through search engines.
The OCR alleged neither organization had conducted an adequate risk analysis of all of its IT systems and neither had an appropriate risk management plan. Additionally, NewYork-Presbyterian did not adequately secure its database or follow its own information access policies.
NewYork-Presbyterian paid $3.3 million and Columbia paid $1.5 million in the settlement, and both organizations have agreed to a corrective action plan.
More Articles on HIPAA:
5 Steps For HIPAA Compliance
8 Recent Lawsuits and Settlements Involving Hospitals
Concentra, QCA Health Plan HIPAA Settlements Emphasize HHS’ Focus on Breach Risks in Unencrypted Laptops
At the Becker's 11th Annual IT + Revenue Cycle Conference: The Future of AI & Digital Health, taking place September 14–17 in Chicago, healthcare executives and digital leaders from across the country will come together to explore how AI, interoperability, cybersecurity, and revenue cycle innovation are transforming care delivery, strengthening financial performance, and driving the next era of digital health. Apply for complimentary registration now.
