St. Luke’s hospital came under fire after faxing two patients’ sensitive medical information against their request.
The Office for Civil Rights (OCR) reached a settlement with St. Luke’s-Roosevelt Hospital Center over violations of HIPAA’s Privacy Rule related to impermissible disclosure of protected health information (PHI).
Who is St. Luke’s?
According to the OCR press release, St. Luke’s-Roosevelt Hospital Cetner Inc. (St. Luke’s) operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health, which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases. St. Luke’s is 1 of 7 hospitals that comprise the Mount Sinai Health System.
Data Breach Details
OCR received an initial complaint in 2014 regarding impermissible disclosure of patient health information by the staff at Spencer Cox Center.
OCR launched an investigation, finding the Spencer Cox Center staff faxed the patient’s PHI directly to his employer, and not his personal post office box as he requested.
Information disclosed included highly sensitive medical information: HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse.
Through the OCR investigation of this event, they discovered Spencer Cox Center was also responsible for a related breach of sensitive information and took no action to address the apparent issue. In the related breach nine months prior, staff faxed PHI of another patient (against their expressed instructions) to an office where the patient volunteered.
The settlement includes a $387,000 penalty for St. Luke’s, along with a corrective action plan.
The corrective action plan includes several remediation steps:
- Revise and distribute written policies and procedures concerning the uses and disclosures of PHI (mail, fax, or email), and update them annually
- Revise and distribute training materials to include instruction on safeguarding PHI
For a case that involves the PHI of only two individual patients, this might seem like a heavy assessment by OCR. This high settlement amount conveys OCR’s focus on two areas in this case: 1) penalty proportionate to sensitivity of information and 2) penalty for avoidance of addressing compliance issues.
The settlement amount clearly reflects the sensitive nature of the patient’s information disclosed. The high penalty also addresses the avoidance of initial vulnerabilities. Had the Spencer Cox Center addressed issues within their compliance program during the initial breach, the procedures and policies would be in place to mitigate future events and prevent these types of impermissible disclosure.
It is no surprise to see OCR targeting a case with minimal individuals impacted. OCR noted last year they would start focusing more on smaller breaches. With this example, we see that OCR has been true to their word. We also reported on a $2.4 million penalty earlier in May for an incident involving only one patient’s information.