On May 7, the Department of Health and Human Services Office for Civil Rights rocked the healthcare world by handing down $4.8 million in fines to New York and Presbyterian Hospital (NYP) and Columbia University (CU) due to a breach of HIPAA regulations dating back to 2010. This represents the largest HIPAA-related settlement to date—and it resulted from the improper disclosure of electronically protected health information (ePHI) for just 6,800 individuals. That’s nearly $706 per exposed record!
How did the breach happen? Through preventable human error, which still represents the biggest threat to healthcare practice security. A physician and application developer employed by Columbia tried to deactivate a personal computer server on the network containing NYP patient ePHI, allowing the protected information to become accessible on public search engines. The breach was actually revealed when a deceased patient’s partner stumbled upon the former patient’s ePHI online.
The investigation into NYP/CU’s data breach also found that neither organization:
- Attempted to protect its network with appropriate IT safeguards
- Conducted “accurate and thorough” risk analyses
- Developed risk management plans for ePHI security
- Implemented policies and procedures spelling out information access management
But the most revealing part of the story developed a week later on May 15, when HealthITSecurity.com reported that many industry experts expect further heavy fines this summer—and stricter HIPAA audit rounds this fall. Healthcare attorney Susan Miller added that going above and beyond basic compliance requirements is the best way to protect a business from a breach and the fallout that follows it. She suggested these elements of a compliance package:
- Privacy, Security, and Breach Notification Rule policies and procedures
- Notices of Privacy Practices (NPPs) and business associate agreements (BAAs)
- Detailed breach plans—reviewed and updated yearly
- Detailed staff training plans—reviewed and updated yearly
- Detailed communication plans—reviewed and updated yearly
- Business continuity and disaster recovery plans—reviewed and updated yearly
- Data encryption policies and procedures
- Audit and monitoring plans—reviewed and updated yearly
- Governance documentation
- Annual internal HIPAA compliance audits
- Annual Security Risk Analyses and Assessments
Many small practitioners think the above requirements only apply to large medical offices. But HHS has handed down fines of $100,000 to a two-physician cardiac surgery office in Arizona and $150,000 to a four-location dermatology practice in New England. So the threat to one-doctor shops is real.
Does your business need help achieving HIPAA compliance? Do the disparate elements listed above sound easy to implement—or time-consuming and difficult? Do you want to avoid the kind of gargantuan fines levied on New York Presbyterian Hospital and Columbia University? If so, contact CMIT Solutions today. We speak the complicated language of HIPAA-related IT security, and we offer business owners tested solutions that produce real results.