Skip to main content
Sister Publication Links
  • ESG: THE IMPLEMENTATION IMPERATIVE
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Digital Health
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Unwell in America
  • Opinion
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • Data Center
    • Data Center Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Government
May 09, 2014 01:00 AM

Record HIPAA settlement could portend tougher privacy enforcement

Joseph Conn
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print

    From the perspective of a healthcare lawyer, the recent record-setting, multimillion-dollar Health Insurance Portability and Accountability Act joint settlement by New York-Presbyterian Hospital and Columbia University is disquieting for several reasons.

    “I can't make heads or tails of why this one was so big,” said Adam Greene, a partner with Davis Wright Tremaine and a former senior health information-technology and privacy specialist at the HHS' Office for Civil Rights, the chief federal enforcement agency for HIPAA privacy and security rules.

    The combined $4.8 million settlement was the largest payout of any kind to settle a HIPAA case. But even with 6,800 patient records exposed to the Internet—$706 per record—it ranks high, but not at the top of the heap of the 21 cases to date in which money has changed hands, according to a list of financial settlements on the OCR's web site.

    That distinction goes to a 2011 settlement between the OCR and Boston's Massachusetts General Hospital for $1 million—after an employee in 2009 left 192 paper records of infectious-disease patients, including patients with HIV, on a commuter train—at cost-per-record basis of $5,208 each.

    Several other settlements have involved far larger breaches for far less money. In 2012, for example, Blue Cross Blue Shield of Tennessee agreed to pay $1.5 million after data on about 1 million of its members was stolen, along with 57 storage devices, from an office in Chattanooga.

    The previous record holder for the largest patient-record financial payout was not for a settlement, but a civil monetary penalty, the only one issued thus far in a HIPAA case with the Office for Civil Rights. And it didn't involve a breach—the penalty resulted from not providing 41 individuals access to their medical records, and went to Cignet Health at $4.3 million. The amount was eventually raised to just short of $4.8 million, after litigation.

    Greene speculated that the New York case might be the result of a bad dynamic with the regional office during negotiations, or it might be because the federal government is ratcheting up its dollar amounts to get the industry's attention. “This is really the first in that range, so we can't say yet,” he said.

    With the coming of the Obama administration in 2009, and particularly under the leadership of former federal fraud prosecutor Leon Rodriguez, beginning in 2011, the OCR has gradually shifted away from jawboning healthcare organizations into compliance with HIPAA privacy and security rules in favor of more aggressive settlement agreements, some with sizable penalties.

    The most recent settlement, Greene said, is “part of a continued transition away from voluntary compliance. The first five years of required compliance with the privacy rule (2003 through 2007), not a dollar changed hands.” That approach was in line with the Bush administration's stated policy, Greene said. “From 2008 through 2011, we started to see a few settlements, and they were in the million (dollar) range. Then last year and the year before, under Director Rodriguez, we saw five a year or so.”

    With the New York case, “I'm wondering if we're on a tip of an iceberg of higher settlements,” Greene said.

    In 2009, Congress mandated, as part of a series of more stringent privacy protections included in the American Recovery and Reinvestment Act, that HHS begin a series of audits of healthcare organizations for adherence to privacy and security rules.

    A first round of 115 audits was completed in late 2012. A final report on the results of that audit program has not been released, but Rodriguez has said publicly the audits showed “a good number” of organizations had problems meeting the risk assessment requirement under the law.

    In addition, a slide presentation summarizing the audit findings, presented publicly several times by Linda Sanches, OCR senior advisor for health information privacy, reports that complete and accurate risk assessments were lacking at two-thirds of the entities audited, including 47 of 59 healthcare providers, 20 out of 35 health plans and two out of seven claims clearinghouses

    Similarly, the OCR's statement about the New York settlement made prominent mention of the inadequacy of the two organizations' HIPAA risk assessments. That was telling, Greene said.

    “They've been doing everything they can to put people on notice they have very high expectation with risk analysis,” he said.

    Another disconcerting aspect about the joint New York settlement, according to Greene, was its disparity in settlement amounts.

    New York-Presbyterian, whose computer server was exposed to the Internet, paid $3.3 million, while Columbia University, whose employed physician worked with the network that exposed the patient data, paid $1.5 million.

    It could set a precedent that might undermine federal efforts to promote health information exchange, Greene said.

    “This was a Columbia University employee who, to my understanding, accessed information from New York-Presbyterian for research purposes, and New York-Presbyterian got hit with more than double the penalty,” Greene said. “This raises the risk that they will look closely—when you exchange information with another covered entity, what kind of safeguards do you have in place?”

    Greene added, “Holding one covered entity liable for another company's inappropriate access could have a chilling effect on one entity opening up its records to another.”

    Follow Joseph Conn on Twitter: @MHJConn

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Abortion clinic
    Idaho hospital halts obstetrical care as abortion laws become stricter
    mh_20160711p29_bills_i.jpg
    State, local governments pay off medical debt relief with COVID funds
    Most Popular
    1
    More healthcare organizations at risk of credit default, Moody's says
    2
    Centene fills out senior executive team with new president, COO
    3
    SCAN, CareOregon plan to merge into the HealthRight Group
    4
    Blue Cross Blue Shield of Michigan unveils big push that lets physicians take on risk, reap rewards
    5
    Bright Health weighs reverse stock split as delisting looms
    Sponsored Content
    Modern Healthcare Alert: Sign up for this breaking news email to be kept in the loop as urgent healthcare business news unfolds.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Digital Health
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Unwell in America
    • Opinion
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • Data Center
      • Data Center Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing