Largest OCR HIPAA Penalty of $4.8M Issued

The largest OCR HIPAA penalty ever issued – to New York and Presbyterian Hospital (NYP) and Columbia University (CU) – means the two organizations will have to pay the Department of Health and Human Services a total of $4.8 million.

The majority of the fine – $3.3 million – is to be paid by NYP, with CU covering the remaining $1.5 million. The fine was the result of a reasonably small data breach which exposed the records of just 6,800 individuals. The security incident involved a server being left unprotected after a firewall was deactivated. The server was part of a computer network that was shared by both NTP and CU, and should have been protected by the firewall at all times.

The incident was caused when a physician who had developed a number of software applications accidentally deactivated the firewall on one server, and his actions made the data available via the search engines.

The fine may appear to be disproportionately high considering the nature of the incident and the volume of records exposed. However, while the number of individuals affected does influence the fines that are issued by the OCR, in this case it was the number of violations that had occurred which ultimately led to the data breach occurring that warranted such a high fine.

The Office for Civil Rights, under the HITECH-amended Health Insurance Portability and Accountability Act, is permitted to fine organizations up to $1.5 million per violation category, per year that the violation has persisted. If the OCR finds numerous violations – and certainly when they have been allowed to persist unchecked for a long period of time – the financial penalties can be several million dollars.

In this instance, the OCR said the penalty was high because no risk analysis had been conducted and there was a lack of safeguards to secure Protected Health Information as required by the HIPAA Security Rule.

This may be the largest OCR HIPAA penalty to date, but it will not be the last multimillion settlement for HIPAA violations. With data breaches on the increase and the OCR policing HIPAA with increased vigor in recent months, the next 12 months could see even bigger fines issued for preventable HIPAA breaches.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of