NewYork-Presbyterian and Columbia University are separate entities, but have an affiliation under which Columbia professors work as attending physicians at NewYork-Presbyterian, and through the affiliation the two organizations share a data network and firewall that links to NewYork-Presbyterian’s patient records database.
According to an investigation by HHS’ Office for Civil Rights, the 2010 breach occurred when a Columbia physician attempted to deactivate a personal computer that was connected to the NewYork-Presbyterian network and contained patient information. A lack of technical barriers then led to patients’ health information being accessible through search engines.
The OCR alleged neither organization had conducted an adequate risk analysis of all of its IT systems and neither had an appropriate risk management plan. Additionally, NewYork-Presbyterian did not adequately secure its database or follow its own information access policies.
NewYork-Presbyterian paid $3.3 million and Columbia paid $1.5 million in the settlement, and both organizations have agreed to a corrective action plan.
More Articles on HIPAA:
5 Steps For HIPAA Compliance
8 Recent Lawsuits and Settlements Involving Hospitals
Concentra, QCA Health Plan HIPAA Settlements Emphasize HHS’ Focus on Breach Risks in Unencrypted Laptops
