HIPAA Settlement – just a measly $4.8 million!

News from the Office of Civil Rights: Columbia University and NY-Presbyterian Hospital have settled with the government following Internet exposure in 2010 of 6,800 patients’ records, including lab test results. Ouch!

What apparently led to this painful episode?

A physician who was employed by Columbia University had developed computer applications for both Columbia University and NY-Presbyterian. He tried to “deactivate a personally owned computer server on the network.” According to the Office of Civil Rights, this led to “deactivation of the server [and] resulted in ePHI (electronic protected health information) being accessible on Internet search engines.”

The hospital will pay the brunt of the penalties ($3.8M or so) and the University about $1M. The nub of this case concerns the joint compliance arrangement that these two SEPARATE covered-entities had arranged in creating a shared date network between them.

As more covered entities “collaborate” and engage in integration, they must pay attention to the manner in which ePHI and good old, regular PHI can be accessed, or mistakenly disclosed.