A New York hospital agreed to pay $387,200 to resolve Health Insurance Portability and Accountability Act (HIPAA) privacy allegations that it disclosed a patient’s particularly sensitive health information, including HIV status, to his employer.
The U.S. Department of Health and Human Services (HHS) investigated St. Luke’s-Roosevelt Hospital Center after the patient filed a complaint that his medical records had been faxed to his employer. This impermissible disclosure, HHS alleged, included sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse.
On investigating, HHS’ Office for Civil Rights (OCR) determined that staff at the hospital’s Spencer Cox Center had impermissibly faxed the patient’s protected health information (PHI) to his employer rather than sending it to the requested personal post office box. The OCR also found that Spencer Cox had committed a related breach 9 months earlier, but had failed to address the vulnerabilities in their compliance program thereafter.
“Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI,” said OCR Director Roger Severino in a May 23 statement announcing the settlement. “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards,” he said. “In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements.”
St. Luke’s, a part of Mount Sinai Health System, impermissibly disclosed two patients’ PHI when it faxed one’s PHI to his workplace and another’s to an office where he volunteered, according to the factual summary OCR included in the settlement. “Given the type of PHI involved, specifically information about HIV, AIDS, and mental health, the impermissible disclosures were egregious,” OCR stated. Along with the impermissible disclosure itself, St. Luke’s failed to employ reasonable safeguards against intentional or unintentional disclosure of the patients’ PHI during faxing, the agency added.
Corrective Action Plan
In addition to the monetary payment, the settlement includes a 3-year corrective action plan (CAP). St. Luke’s must update its policies and procedures on PHI uses and disclosures, including by mail, fax, and electronic transmission. Once HHS approves the revised policies and procedures, St. Luke’s must train its workforce members accordingly and have them certify completion as a condition of PHI access.
The CAP also requires St. Luke’s to report any violations of the policies and procedures to HHS within 30 days, and submit initial and annual “implementation reports” attesting to compliance with the agreement at all locations.
HIPAA-covered healthcare providers and health plans, including employer group health plans, may not disclose PHI without the individual’s written authorization, except for specified purposes. A group health plan may disclose PHI to its sponsoring employer for plan administration purposes, but only if certain conditions are met, including the employer agreeing not to use it for employment-related purposes.
| David A. Slaughter, JD, is a Senior Legal Editor for BLR’s Thompson HR products, focusing on benefits compliance. Before coming to BLR, he served as editor of Thompson Information Services’ (TIS) HIPAA guides, along with other writing and editing duties related to TIS’ HR/benefits offerings. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar.
Questions? Comments? Contact David at firstname.lastname@example.org for more information on this topic