Breaking Compliance News Blog

HIPAA Makes History with $4.8 Million Fine

Posted by Margaret Scavotto, JD, CHC on 5/15/14 5:30 AM

Find me on:

New York-Presbyterian Hospital and Columbia University Medical Center made HIPAA history last week when they entered a combined $4.8 Million settlement with the Office of Civil Rights (OCR). This settlement is the largest we have seen under HIPAA enforcement.

What went wrong

In 2010, a physician who developed applications for both entities attempted to deactivate a personally-owned computer server on a shared network that contained ePHI. Because adequate technical safeguards were not in place, this ePHI became accessible on the internet—and showed up in Google searches. The ePHI included:

1) Lab results

2) Medications

3) Patient status

4) Vital signs

Upon investigation, the OCR found that the providers’ HIPAA security program was lacking:

  • Neither party attempted to ensure the server was secure and software protections were in place
  • Neither party had conducted a complete risk analysis—and thus neither party had an adequate risk management plan
  • New York-Presbyterian Hospital failed to implement access policies and procedures, and failed to comply with its own security policies


In addition to entering a $4.8 Million settlement, New York-Presbyterian Hospital and Columbia University Medical Center agreed to take the following corrective steps:

  • Conduct a risk analysis
  • Develop a risk management plan
  • Revise policies and procedures
  • Train staff
  • Provide progress reports to OCR

This settlement is a reminder that HIPAA penalties large enough to put a provider out of business are increasingly common—and can be triggered by the acts of a single employee. The OCR sent a warning to providers who, like the providers in this settlement, are behind on HIPAA security: “The message here is to get your house in order…The gloves are off.” (HealthcareIT News, May 8, 2014).

Learn more:

HIPAA Audits Are Coming: Are You Ready?

Behind on HIPAA Security Compliance? OCR’s new Security Tool raises expectations.

Are Your Employees Tweeting Their Way to a HIPAA Violation?

We implemented HIPAA over 10 years ago when it first came out. Does that put us ahead of the curve?

Where do HIPAA breaches come from?

Will the OCR go easy on us if we are “working on” becoming HIPAA compliant?

 Free  HIPAA Checklist


Topics: Breaking Compliance News Blog, Penalties and Enforcement, HIPAA

    Privacy Policy           Terms of Use