The present paper considers the case of the New York Presbyterian Hospital (NYP) and Columbia University Medical Center (CU), which involves a major HIPAA Privacy Rule violation. The event is described, and the possible solutions are proposed. It is suggested that the violation was rather complex, which is why multiple interventions are required for the improvement of the situation, but the use of technical safeguards is one of the most important components of the solution.
According to the Office for Civil Rights, NYP and CU were found responsible for a breach event, in which a physician deactivated “a personally-owned computer server on the network containing ePHI” (McCann, 2014, para. 2). As a result, ePHI became accessible through Google search because of the lack of appropriate technical safeguards. The information of 6 800 patients was compromised, which can be regarded as an extremely major privacy violation (Chen & Benusa, 2017, p. 2). NYP and CU only learned about the breach after a person filed a complaint about encountering the ePHI of their relative online.
The event apparently involves a number of HIPAA violations, which could have been prevented if the two organizations had not demonstrated willful neglect. First of all, the physician can be accused of willfully compromising PHI and violating the privacy of the patients (Chen & Benusa, 2017; Harting, DeWees, Vela, & Khirallah, 2015). Secondly, the fact that no technical safeguards had been enabled is a major violation of the HIPAA Privacy Rule (Chen & Benusa, 2017; U.S. Department of Health & Human Services, 2013, para. 90).
Apart from that, the actions of the physician are likely to imply the lack of either appropriate training or policies, both of which can be viewed as a violation of the administrative requirements of the HIPAA Privacy Rule (U.S. Department of Health & Human Services, 2013, para. 86, 88).
Finally, the fact that the breach was only found after an external complaint also implies the lack of appropriate policies, training, and safeguards, which could have alerted the physician about the possible consequences of their actions and guided them to report the event. To sum up, the violation of the HIPAA Privacy Rule is apparent in this case, and both the physician and the organizations can be viewed as guilty of willful neglect in this case (Harting et al., 2015).
It should be mentioned that the present case demonstrates the importance of the proper management of ePHI. Indeed, a breach of a similar scope is impossible for non-electronic forms of PHI, which suggests that ePHI is particularly vulnerable and requires more cautious handling. The solution to the case requires multiple interventions, including those aimed at ensuring the development of various safeguards. Administrative interventions are apparently required for the organizations, but technical safeguards seem to be extremely important as well. In fact, Harting et al. (2015) suggest that the lack of appropriate risk assessment and technological safeguards were the key reasons for the event.
Therefore, the principal suggestion for the improvement of the situation at NYP and CU consists of conducting the analysis of its shared data network and the development of appropriate, customized technical safeguards. The HIPAA Privacy Rule requires these activities; also, they would imply the respect towards the fundamental privacy right of every patient. Thus, the event has demonstrated major insecurities in the HIPAA compliance of NYP and CU, which can be resolved through a comprehensive revision of their safeguards, including technical ones.
References
Chen, J., & Benusa, A. (2017). HIPAA security compliance challenges: The case for small healthcare providers. International Journal of Healthcare Management, 10(2), 135-146.
Harting, M., DeWees, J., Vela, K., & Khirallah, R. (2015). Medical photography: current technology, evolving issues and legal perspectives. International Journal of Clinical Practice, 69(4), 401-409.
McCann, E. (2014). Hospitals fined $4.8M for HIPAA violation. Healthcare IT News.
U.S. Department of Health & Human Services. (2013). Summary of the HIPAA Privacy Rule.