• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share
FOR IMMEDIATE RELEASE
May 23, 2017
Contact: HHS Press Office
202-690-6343
media@hhs.gov

Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k

St. Luke’s-Roosevelt Hospital Center Inc. (St. Luke’s) has paid the U.S. Department of Health and Human Services (HHS) $387,200 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a comprehensive corrective action plan. St. Luke’s operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health (the Spencer Cox Center), which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases. St. Luke’s is 1 of 7 hospitals that comprise the Mount Sinai Health System (MSHS).

In September 2014, the HHS Office for Civil Rights (OCR) received a complaint alleging that a staff member from the Spencer Cox Center impermissibly disclosed the complainant’s protected health information (PHI) to the complainant’s employer. This impermissible disclosure included sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse. OCR’s subsequent investigation revealed that staff at the Spencer Cox Center impermissibly faxed the patient’s PHI to his employer rather than sending it to the requested personal post office box. Additionally, OCR discovered that the Spencer Cox Center was responsible for a related breach of sensitive information that occurred nine months prior to the aforementioned incident but had not addressed the vulnerabilities in their compliance program to prevent impermissible disclosures.

“Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI,” said Roger Severino, OCR director. “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards. In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements.”

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/stlukes/index.html

To learn more about non-discrimination and health information privacy laws, including civil rights and privacy rights in health care and human service settings, and to find information on filing a complaint, please visit http://www.hhs.gov/hipaa/index.html

Follow OCR on Twitter at http://twitter.com/HHSOCR

###
Note: All HHS press releases, fact sheets and other news materials are available at https://www.hhs.gov/news.
Like HHS on Facebook Exit disclaimer icon, follow HHS on Twitter @HHSgov Exit disclaimer icon, and sign up for HHS Email Updates.
Last revised: May 23, 2017

Subscribe to RSS

Receive latest updates

Subscribe to our RSS