Health and Human Services issued two announcements recently.  First, HHS announced the largest HIPAA penalty to date, $4.8 million against New York Presbyterian Hospital and Columbia University.  The penalty was for a breach and the lack of the required plan.  The breach occurred because a Physician tried to deactivate a server on his own.  Neither party had an adequate plan or training in place.

HHS has required Presbyterian and Columbia to do a risk analysis, develop a risk management plan, develop policies and procedures, and train their staffs.  All of these requirements of the settlement are requirements of the law.  This things must be done even by practices that have not had a breach.  Failure to have a plan, policies and procedures, failure to train the staff (including the providers), failure to have the IT system audited and proven secure are all violations of HIPAA, and each one is subject to a potential fine of $50,000.

The second HHS announcement was that HIPAA audits are beginning this Fall.  Coincidence?

All of the things described above must be done.  Even if not done perfectly, the effort counts.  However, just as in the breach by the Doctor trying to deactivate the server himself, it’s probably not wise to take on this liability yourself.

Southwest Florida was ground zero for the foreclosure crisis.  Please let’s not be ground zero for HHS making “examples” (as they said they will) of health care practices.


Bruce H. Vanderlaan, Attorney at Law, P.A.