Lack of Technical Controls Leads to Two Settlements with OCR for $4.8M.

On May 8, 2014, the Office of Civil Rights (OCR) announced a settlement with New York and Presbyterian Hospital (NYP) and Columbia University (CU) involving allegation of violations of the HIPAA Privacy and Security Rules. Under the Resolution Agreements, NYP will pay $3 million and CU will pay $1.5 million to settle the investigations.

A few preliminary comments.... This settlement is a good reminder that covered entities, business associates, and subcontractors must choose their partners carefully. As more organizations implement data sharing agreements, form strategic healthcare IT partnerships (e.g., those involving big data, analytics, etc.), and otherwise store their data with vendors, data breach issues are inevitable. Healthcare providers and vendors must carefully review their agreements to ensure that each party bears the appropriate amount of risk. Provisions related to indemnification, limitation of liability, damages caps, and insurance requirements should be reviewed with special attention.

NYP and CU are separate covered entities, but have an affiliation - generally called New York Presbyterian Hospital/Columbia University Medical Center - where CU faculty members serve as attending physicians at NYP.  Under this arrangement, "NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI."[1]

NYP and CU filed a joint breach report in September 27, 2010 (yes, 2010 - compare that to the 2014 settlement date!) following notification that the information of 6,800 patients, including patient status, vital signs, medications, and laboratory results, was available online. Specifically, according to the OCR Press Release:
Lack of Technical Controls Leads to Two Settlements with OCR for $4.8M
The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet.
OCR notified each of the entities on November 5, 2010 that it would launching an investigation. According to the Resolution Agreement with each of the entities, the OCR found the following conduct problematic:

New York Presbyterian HospitalColumbia University Medical Center
a. NYP impermissibly disclosed the ePHI of 6,800 patients to Google and other Internet search engines when a computer server that had access to NYP ePHI information systems was errantly reconfigured.

b. NYP failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI.

c. NYP failed to implement processes for assessing and monitoring all IT equipment, applications, and data systems that were linked to NYP patient databases prior to the breach incident, and failed to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.

d. NYP failed to implement appropriate policies and procedures for authorizing access to its NYP patient data bases, and it failed to comply with its own policies on information access management.[2] (emphasis added)

NYP settlement: $3 million.
a. CU failed to conduct an accurate, and thorough risk analysis that incorporates all IT equipment, applications and data systems utilizing ePHI, including the server accessing NYP-ePHI.

b. CU failed to implement processes for assessing and monitoring IT equipment, applications and data systems that were linked to NYP patient data bases prior to the breach incident and failed to implement security measures sufficient to reduce the risks of inappropriate disclosure to an acceptable level.[3]

CU settlement: $1.5 million.

As is the usual course, each Resolution Agreement includes a Corrective Action Plan. Each of the parties must take the following steps:

New York Presbyterian HospitalColumbia University Medical Center
Modify Existing Risk Analysis Process.
. . . NYP shall conduct a comprehensive and thorough risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered or owned by NYP, its workforce members, and affiliated staff that contains, stores, transmits or receives NYP ePHI. NYP shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI which will then be incorporated in its Risk Analysis. . . .

Develop and Implement a Risk Management Plan.
Within ninety (90) calendar days of the completion of the Risk Analysis . . . , NYP shall develop an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in its risk analysis. The plan shall include a process and timeline for implementation, evaluation, and revision. The plan shall be forwarded to HHS for its review . . .


Review and Revise Policies and Procedures on Information Access Management.

. . . NYP shall review, and to the extent necessary, revise its internal policies and procedures for authorizing access to NYP ePHI. The revised policies and procedures shall include a specific process to be followed by workforce members and affiliated staff for requesting authorization to access NYP ePHI (including criteria for granting such access), obtaining approval of such request, documenting such request, and conducting periodic monitoring of ePHI usage. NYP shall forward its policies and procedures for authorizing access to all NYP ePHI to HHS for its review . . .


Implement Process for Evaluating Environmental and Operational Changes.

. . . NYP shall develop a process to evaluate any environmental or operational changes that affect the security of NYP ePHI.

Review and Revise Policies and Procedures on Device and Media Controls.
. . . NYP shall review, and to the extent necessary, revise its policies and procedures related to the use of hardware and electronic media including, but not limited to laptops, servers, tablets, mobile phones, USB drives, external hard drives, DVDs and CDs that may be used to access, store, download, or transmit NYP ePHI. The revised policies shall identify criteria for the use of such hardware and electronic media and procedures for obtaining authorization for the use of personal devices and media that utilize NYP ePHI systems. The policies shall also address security responsibilities, including disposal and reuse of personal devices and media and regular compliance monitoring. NYP shall forward its policies and procedures to HHS for its review . . .

Develop an Enhanced Privacy and Security Awareness Training Program.
1. . . NYP shall augment its existing mandatory Health Information Privacy and Security Awareness Training Program (for workforce members and affiliated staff that have access to protected health information including ePHI, to train on the necessity and existence of prohibitions on the purchase, use or administration of computer equipment that accesses NYP ePHI, except under the explicit management of NYP IT personnel ("the Training Program"). As before, the Training Program shall also include general instruction on compliance with the HIPAA Privacy, Security, and Breach Notification Rules and NYP health information security policies and procedures, and shall also include training on new policies and procedures, if any, developed as required by . . . this CAP.

2. Under the Training Program, NYP shall provide training to all workforce members and affiliated staff as soon as possible but no later than one year of the Effective Date and yearly thereafter. Any workforce member or affiliated staff that commences working for NYP, or that are given access to ePHI, after the development of the Training Program shall be trained within thirty (30) calendar days of the commencement of their employment or affiliation with NYP.

3. Each individual who is required to attend training shall certify, in writing or in electronic form, that he or she has received the required training and the date training was received. NYP shall retain copies of such certifications for no less than six years following the date training was provided.

4. NYP shall review the Training Program, including all training materials developed as part of the program, annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.

Conduct a thorough Risk Analysis.
. . . CU shall conduct a comprehensive and thorough risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems and applications controlled, administered or owned by CU, its workforce members that contains, stores, transmits or receives CU ePHI. CU shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI which will then be incorporated in its Risk Analysis. . . .


Develop and Implement a Risk Management Plan.

Within ninety (90) calendar days of completion of the Risk Analysis . . . , CU shall develop an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in its risk analysis. The plan shall include a process and timeline for implementation, evaluation, and revision. The plan shall be forwarded to HHS for its review . . .

Review and Revise Policies and Procedures on Information Access Management.
. . . CU shall review and to the extent necessary revise its internal policies and procedures for authorizing access to CU ePHI. The revised policies and procedures shall include a process to be followed by workforce members for requesting authorization to access CU ePHI (including criteria for granting such access), obtaining approval of such request, documenting such request, and conducting periodic monitoring of ePHI usage. CU shall forward its policies and procedures for authorizing access to all CU ePHI to HHS for its review . . .


Compliance with Evaluation Standard.
. . . CU shall develop a process to evaluate any environmental or operational changes that affect the security of CU ePHI.


Review and Revise Policies and Procedures on Device and Media Controls.

. . . CU shall review and to the extent necessary, revise its policies and procedures related to the use of hardware and electronic media including, but not limited to laptops, servers, tablets, mobile phones, USB drives, external hard drives, DVDs and CDs that may be used to access, store, download or transmit CU ePHI. The revised policies shall identify criteria for the use of such hardware and electronic media and procedures for obtaining authorization for the use of personal devices and media that utilized CU ePHI systems. The policies shall also address security responsibilities, including disposal and reuse of personal devices and media and regular compliance monitoring. CU shall forward its policies and procedures to HHS for its review . . .

Develop a Privacy and Security Awareness Training Program.
1. . . . CU shall develop a mandatory Health Information Privacy and Security Awareness Training Program (the Training Program) for workforce members that have access to protected health information including ePHI. The Training Program shall include instruction on compliance with the HIPAA Privacy, Security, and Breach Notification Rules and CU health information security policies and procedures, and shall particularly include training on the policies and procedures developed as required by . . .  this CAP.

2. Under the Training Program, CU shall provide training to all workforce members as soon as possible but no later than one year of the Effective Date and yearly thereafter. Any workforce member that commence working for CU after the development of the Training Program shall be trained within thirty (30) calendar days of the commencement of their employment with CU.

3. Each individual who is required to attend training shall certify, in writing or in electronic form, that he or she has received the required training and the date train ing was received. CU shall retain copies of such certifications for no less than six years following the date training was provided.

4. CU shall review the Training Program, including all training materials developed as part of the program, annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.


For a chart summary of the OCR fines as well as other HIPAA related litigation, please see
https://melniklegal.com/list_of_HIPAA_fines_and_penalties.html.

---------------------
[1] Press Release, Office of Civil Rights (May 8, 2014), available at https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/jointbreach-agreement.html.

[2] Resolution Agreement between HHS Office of Civil Rights and
New York and Presbyterian Hospital (agr. undated, press release from May 8, 2014).

[3] Resolution Agreement between HHS Office of Civil Rights and Columbia University (agr. undated, press release from May 8, 2014).
---------------------

Posted by: Tatiana Melnik on May 8, 2014