[ Wednesday, December 30, 2015 ]
I found this in my "drafts" in blogger, and should've posted this way back in May 2014 (note how this risk analysis thing just keeps coming up):
Jeff [1:04 PM]
BIG HIPAA fine:
NY Presbyterian Hospital and Columbia University are paying OCR $4.8 million ($3.3M from NY Pres, $1.5M from Columbia) to settle potential HIPAA violations
. Columbia Medical School physicians serve as the medical staff of NY Pres, and they share a computer network and hospital information system. A Columbia physician attempted to remove a privately-owned server from the network, and it somehow made patient data available to internet searches. Neither entity had done a risk analysis to identify all systems containing ePHI, and thus didn't have sufficient risk management processes. Add to that failure to manage access authorizations and failure to comply with their own policies, and you get a big, big fine.
The lynchpin here is the failure to do a good risk analysis. That's where it all starts.
Blogger: HIPAA Blog - Edit your Template