$387,200 Fine from HHS OCR for the Improper Disclosure of PHI to an Employer and a Volunteer Organization

On May 23, 2017, the Department of Health and Human Services Office of Civil Rights (HHS OCR) announced a settlement with St. Luke’s-Roosevelt Hospital Center, part of the Mount Sinai Health System, to resolve allegations that protected health information (PHI) had been improperly been disclosed to a patient’s employer in one case, and a volunteer organization in another incident.

St. Luke’s operates the Institute for Advanced Medicine (formerly the Spencer Cox Center for Health), which provides comprehensive health services to individuals living with HIV, AIDS and other chronic conditions. In September 2014, HHS OCR received a complaint alleging that a staff member at Spencer Cox impermissibly faxed PHI about a patient to the patient’s employer rather than sending it to a post office box as had been requested. The fax included sensitive PHI including information pertaining to HIV status, sexually transmitted disease, medications, mental health diagnosis, physical abuse and other information about the individual’s care. As a result of its investigation, HHS OCR determined that approximately nine months prior to this errant fax, staff at Spencer Cox also had erroneously faxed the PHI of another patient to an office where that patient volunteered.

The settlement consisted of a fine of $387,200 and a three-year corrective action plan requiring St. Luke’s to revise its policies and procedure and train its staff. HHS OCR’s press release announcing the settlement quotes HHS OCR Director Roger Severino stating: “In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements.” The resolution agreement characterizes the violations as “egregious” given the type of PHI that was involved, specifically referencing the information about HIV, AIDS and mental health.

The case underscores the importance of safeguarding PHI as part of day-to-day operations. In this case, two errant faxes sent approximately nine months apart about two different patients, resulted in a significant HIPAA fine. The amount of the fine clearly appears to have been impacted by the type of PHI impermissibly disclosed, but the disclosure of other types of PHI in the same manner also would constitute a HIPAA violation. As a result, even if a covered entity or business associate does not regularly communicate sensitive PHI such as HIV/AIDS or mental health information, it is still important to take care when communicating PHI to third parties (by any means, not only by fax) and to train staff on how to properly communicate PHI.