While most healthcare providers know to pay close attention to the HIPAA rules when setting up their information technology systems, recent events have demonstrated that this close scrutiny should also be applied to computer reconfigurations and other IT system changes. According to the Department of Health and Human Services Office for Civil Rights (“OCR”), a “reconfiguration” of a computer server involving two healthcare providers caused the health information of 6,800 patients to be disclosed to Internet search engines. The healthcare providers, New York-Presbyterian Hospital and Columbia University Medical Center, each entered into a settlement and a Corrective Action Plan with OCR requiring payment of $4.8 million to OCR.
According to OCR, the hospitals failed to conduct an
accurate and thorough risk analysis that incorporates all information
technology (“IT”) equipment, applications, and data systems utilizing
electronic protected health information (“ePHI”). Additionally, they failed to
implement processes for assessing and monitoring all IT equipment,
applications, and data systems that were linked to their patient databases
prior to the breach incident, and failed to implement security measures
sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable
and appropriate level. The hospitals also failed to implement appropriate
policies and procedures for authorizing access to their patient databases, and
they failed to comply with their HIPAA security policies on information access
management.
Under the HIPAA Security Rule, most healthcare providers are
required to conduct a risk analysis of, among other things, their IT equipment.
Healthcare providers are also required to implement HIPAA security policies and
procedures to reduce their risk of a potential HIPAA violation and
vulnerabilities in their IT systems. Whenever a change is made to a healthcare
provider’s IT systems, a new risk analysis should be conducted to identify any
potential risk of improper disclosure of ePHI as a result of the change. Any
such risk must be eliminated or sufficiently reduced prior to implementing the
change to avoid a violation of HIPAA and the costly penalties that go along with
it.
