‘Careless’ Disclosure of Sensitive Information Leads to HIPAA Settlement

The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that St. Luke’s-Roosevelt Hospital Center Inc. (“St. Luke’s”) entered into a HIPAA settlement for $387,200 resulting from the impermissible disclosure of two patients’ protected health information (“PHI”). In addition to the settlement, St. Luke’s has entered into a specific Corrective Action Plan.

On September 12, 2014, OCR received an allegation that a staff member of St. Luke’s impermissibly disclosed the PHI of a patient by faxing the patient’s medical records to his employer. In March 2015, OCR commenced its investigation and concluded that St. Luke’s impermissibly disclosed PHI of two patients when staff members faxed one individual’s PHI to his workplace and the other individual’s PHI to an office at which he volunteered. Information disclosed included sensitive material relating to HIV status, sexually transmitted diseases, and mental health. OCR determined the impermissible disclosures to be egregious given the sensitive nature of the material. Additionally, OCR determined that St. Luke’s was responsible for failing to address vulnerabilities in their compliance program after a related breach of sensitive information that occurred nine months earlier.

Roger Severino, OCR Director, said: “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards. In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements.”

As noted in a previous alert, OCR is continuing its aggressive enforcement of HIPAA’s privacy and security standards. Both covered entities and business associates should review their policies and procedures to ensure compliance with all applicable laws, rules and regulations to avoid potential enforcement actions by OCR.