Wednesday, October 1, 2014

HIPAA Violation Results in $4.8 Million Settlement: An IT Perspective

By Jared A. Smith

In today’s healthcare industry, information technology (“IT”) systems play an ever-expanding role in the success of a medical practice. Medical practitioners consistently juggle e-billing and electronic medical records software risk, HIPAA compliance issues, data security and data privacy requirements and meaningful use thresholds, all of which are typically addressed in IT vendor agreements. Further, IT vendors are often willing to accept significant revisions to their standards contracts, and well-negotiated and properly structured relationships with IT vendors can protect medical practices from disaster in the event of an IT system failure like the one outlined below.

In our previous issue of Healthcare Legal News, Rose Willis described a record-setting fine imposed on New York-Presbyterian Hospital (“Hospital”) and Columbia University Medical Center (“Columbia”) for HIPAA violations associated with their IT infrastructure. Specifically, a Columbia doctor inadvertently disclosed the electronic protected health information (“ePHI”) of about 7,000 patients to Google and other easily-accessible search engines when he deactivated his personally owned server from the Columbia network. The Hospital and Columbia learned of the data security breach when they received a complaint from an individual who discovered the ePHI of the individual’s deceased partner through a simple Internet search, and the Hospital and Columbia then self-reported the breach to the Department of Health and Human Services Office for Civil Rights (“OCR”). At the conclusion of OCR’s investigation into the breach, the Hospital and Columbia agreed to enter into a settlement and a Corrective Action Plan that required the payment of $4.8 million to OCR, the largest settlement for HIPAA security violations to date.

Aside from the extent of the breach – almost 7,000 patients’ ePHI exposed to anyone with Internet access – the size of the settlement can be attributed to two major failures on the part of the Hospital and Columbia. First, the Hospital and Columbia lacked sufficient IT safeguards, which permitted a single doctor to accidentally expose the ePHI of such a large number of patients. Generally, a medical practice’s IT infrastructure should be structured in a way that permits one person to accidentally compromise the entire system’s security, and a strong IT services agreement with a reputable IT vendor is an important first step in avoiding such a scenario. The best IT vendors work closely with their clients to implement IT safeguards tailored to each distinct medical practice, and a negotiated IT vendor contract should appropriately allocate data security risk between the medical practices and the IT vendors.

Second, the Hospital and Columbia failed to perform a sufficiently thorough risk analysis of their IT systems. Under the HIPAA Security Rule, most healthcare providers are required to conduct a risk analysis of their IT equipment to determine where data security vulnerabilities exist and how to effectively address them. Here, the Hospital and Columbia did, in fact, conduct risk analyses, but OCR determined that their risk analyses did not adequately address their particular data security issues. Again, experienced IT vendors collaborate with their clients so that data security vulnerabilities are discovered, and the risk analysis obligations of the applicable medical practice and the IT vendor should be well-defined in a negotiated IT vendor agreement.