The Biggest HIPAA Settlement in History

Posted by Rebecca Santorios on January 7, 2016

HIPAA compliant hosting, when done properly, can help protect you from serious compliance violations. Take, for example, the breach that resulted in the largest HIPAA settlement to date.

This May, New York and Presbyterian Hospital and Columbia University paid a settlement of $4.8 million, combined. This is largest settlement amount with the OCR for a HIPAA violation so far.

What went wrong?

New York and Presbyterian Hospital (NYP) and Columbia University (CU) operate a shared data network and a shared network firewall, which links patient information systems containing ePHI. According to the HHS, the breach occurred when a physician who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the shared network containing patient ePHI. The PHI of approximately 6,800 patients on that network then became publicly available via internet search engines – data that included patient status, vital signs, medications, and laboratory results.

More than just technology

A lack of technical safeguards caused the breach, but its shortcomings in system-wide controls helped make the penalties so severe.

The OCR investigated the issue and found that:

  • Neither NYP nor CU had made efforts to ensure that appropriate protections were in place for the server
  • Neither NYP nor CU had conducted an accurate and thorough risk analysis that identified all systems that access ePHI
  • NYP failed to implement appropriate policies and procedures for authorizing access to its databases
  • NYP failed to comply with its own policies on information access management

In a press release, the Acting Deputy Director of Health Information Privacy for OCR stated that, "Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems."

Would HIPAA compliant hosting prevent this?

A truly HIPAA compliant hosting provider has all of the systems in place to avoid this type of breach, and the glaring deficiencies cited by the OCR in their investigation.

Specifically, if this system were managed by a HIPAA compliant hosting provider, it would have been subject to:

  • Risk Analysis - The server in question would have been part of a system wide risk assessment, providing the foundation for securing ePHI
  • Physical Controls – Site wide physical security, restricting access to the server in question
  • Procedural Controls – Change control procedures to ensure that the change was planned and its impact on ePHI assessed before being implemented
  • Technical Controls – Software-based access restriction to add another layer of protection against unauthorized changes. Most importantly, based on the assessment of the change, the right technical controls could have been identified and put in place before the server was deactivated
  • As the OCR's response to this settlement confirms, HIPAA compliance shouldn't be treated as an add-on to your IT service, it should be at the core of your solution.

At ByteGrid, compliance isn't an optional service – it's the primary focus of our business. Our EHNAC accreditationand years of compliant hosting are evidence of how successful we've been in achieving that.

Contact us today and learn what HIPAA compliant hosting can do for you.