May 23, 2017
Careless handling of HIV information jeopardizes patient’s privacy, costs entity $387k
St. Luke’s-Roosevelt Hospital Center Inc. (St. Luke’s) has paid the U.S. Department of Health and Human Services (HHS) $387,200 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a comprehensive corrective action plan. St. Luke’s operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health (the Spencer Cox Center), which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases. St. Luke’s is 1 of 7 hospitals that comprise the Mount Sinai Health System (MSHS).
In September 2014, the HHS Office for Civil Rights (OCR) received a complaint alleging that a staff member from the Spencer Cox Center impermissibly disclosed the complainant’s protected health information (PHI) to the complainant’s employer. This impermissible disclosure included sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse. OCR’s subsequent investigation revealed that staff at the Spencer Cox Center impermissibly faxed the patient’s PHI to his employer rather than sending it to the requested personal post office box. Additionally, OCR discovered that the Spencer Cox Center was responsible for a related breach of sensitive information that occurred nine months prior to the aforementioned incident but had not addressed the vulnerabilities in their compliance program to prevent impermissible disclosures.
“Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI,” said Roger Severino, OCR director. “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards. In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements.”
The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/stlukes/index.html
To learn more about non-discrimination and health information privacy laws, including civil rights and privacy rights in health care and human service settings, and to find information on filing a complaint, please visit http://www.hhs.gov/hipaa/index.html
Follow OCR on Twitter at http://twitter.com/HHSOCR