The combined $4.8 million settlement was the largest payout of any kind to settle a HIPAA case. But even with 6,800 patient records exposed to the Internet—$706 per record—it ranks high, but not at the top of the heap of the 21 cases to date in which money has changed hands, according to a list of financial settlements on the OCR's web site.
That distinction goes to a 2011 settlement between the OCR and Boston's Massachusetts General Hospital for $1 million—after an employee in 2009 left 192 paper records of infectious-disease patients, including patients with HIV, on a commuter train—at cost-per-record basis of $5,208 each.
Several other settlements have involved far larger breaches for far less money. In 2012, for example, Blue Cross Blue Shield of Tennessee agreed to pay $1.5 million after data on about 1 million of its members was stolen, along with 57 storage devices, from an office in Chattanooga.
The previous record holder for the largest patient-record financial payout was not for a settlement, but a civil monetary penalty, the only one issued thus far in a HIPAA case with the Office for Civil Rights. And it didn't involve a breach—the penalty resulted from not providing 41 individuals access to their medical records, and went to Cignet Health at $4.3 million. The amount was eventually raised to just short of $4.8 million, after litigation.
Greene speculated that the New York case might be the result of a bad dynamic with the regional office during negotiations, or it might be because the federal government is ratcheting up its dollar amounts to get the industry's attention. “This is really the first in that range, so we can't say yet,” he said.
With the coming of the Obama administration in 2009, and particularly under the leadership of former federal fraud prosecutor Leon Rodriguez, beginning in 2011, the OCR has gradually shifted away from jawboning healthcare organizations into compliance with HIPAA privacy and security rules in favor of more aggressive settlement agreements, some with sizable penalties.
The most recent settlement, Greene said, is “part of a continued transition away from voluntary compliance. The first five years of required compliance with the privacy rule (2003 through 2007), not a dollar changed hands.” That approach was in line with the Bush administration's stated policy, Greene said. “From 2008 through 2011, we started to see a few settlements, and they were in the million (dollar) range. Then last year and the year before, under Director Rodriguez, we saw five a year or so.”
With the New York case, “I'm wondering if we're on a tip of an iceberg of higher settlements,” Greene said.
In 2009, Congress mandated, as part of a series of more stringent privacy protections included in the American Recovery and Reinvestment Act, that HHS begin a series of audits of healthcare organizations for adherence to privacy and security rules.
A first round of 115 audits was completed in late 2012. A final report on the results of that audit program has not been released, but Rodriguez has said publicly the audits showed “a good number” of organizations had problems meeting the risk assessment requirement under the law.
In addition, a slide presentation summarizing the audit findings, presented publicly several times by Linda Sanches, OCR senior advisor for health information privacy, reports that complete and accurate risk assessments were lacking at two-thirds of the entities audited, including 47 of 59 healthcare providers, 20 out of 35 health plans and two out of seven claims clearinghouses
Similarly, the OCR's statement about the New York settlement made prominent mention of the inadequacy of the two organizations' HIPAA risk assessments. That was telling, Greene said.
“They've been doing everything they can to put people on notice they have very high expectation with risk analysis,” he said.
Another disconcerting aspect about the joint New York settlement, according to Greene, was its disparity in settlement amounts.
New York-Presbyterian, whose computer server was exposed to the Internet, paid $3.3 million, while Columbia University, whose employed physician worked with the network that exposed the patient data, paid $1.5 million.
It could set a precedent that might undermine federal efforts to promote health information exchange, Greene said.
“This was a Columbia University employee who, to my understanding, accessed information from New York-Presbyterian for research purposes, and New York-Presbyterian got hit with more than double the penalty,” Greene said. “This raises the risk that they will look closely—when you exchange information with another covered entity, what kind of safeguards do you have in place?”
Greene added, “Holding one covered entity liable for another company's inappropriate access could have a chilling effect on one entity opening up its records to another.”
Follow Joseph Conn on Twitter: @MHJConn