New York and Presbyterian Hospital (“Presbyterian”) and Columbia University (“Columbia”) are affiliated as the New York Presbyterian Hospital/Columbia University Medical Center. According to a recent report published by the HHS Office of Civil Rights (“OCR”), Presbyterian and Columbia are separate covered entities under which Columbia faculty members serve as attending physicians at Presbyterian. Presbyterian and Columbia operate a shared data network and a shared network firewall that links to Presbyterian patient information systems.
The OCR investigation found that a physician employed by Columbia attempted to deactivate a personally-owned computer server on the network. Something went terribly wrong, because deactivation of the server resulted in the electronic PHI of 6,800 individuals being accessible on internet search engines. The potential disclosure included patient status, vital signs, medications and lab results.
In order to resolve the HIPAA violation with OCR, Presbyterian has agreed to a settlement amount of $3,300,000 and Columbia has agreed to an additional payment of $1,500,000. In addition, each agreed to take other corrective actions. This is the largest HIPAA settlement to date for a single event. The Resolution Agreements containing more details can be found here and here.