On May 7th, two New York hospitals agreed to pay the Department of Health and Human Services (“HHS”) $4.8 million dollars to settle claims that the hospitals had failed to secure patients’ electronic protected health information, in violation of the Health Insurance Portability and Accountability Act (“HIPAA”). Specifically, Columbia University Medical Center paid $1.5 million and New York Presbyterian Hospital paid $3.3 million to settle the case. This settlement represents the largest HIPAA settlement to date.

Columbia University and New York Presbyterian Hospital have a joint arrangement whereby Columbia faculty members also serve as attending physicians at New York Presbyterian. The organizations operate a shared network of data and network firewall that employees from both organizations operate. In September 2010, the Office of Civil Rights (“OCR”) at HHS received notice from both organizations that the security of the electronic PHI of 6,800 individuals had been compromised because such data was accessible through public search engines.

OCR’s investigation revealed that both organizations had failed to ensure that the network’s server was secure and that the organizations had failed to conduct a risk analysis of their shared data systems. New York Presbyterian further had not implemented any policies for authorizing database access.

The settlement requires both organizations to undertake a risk analysis, train their staff, and implement compliance plans to ensure that a similar security issue does not occur again. The hospitals did not admit liability in the settlement.

Additional information available here.