$387,000 HIPAA Penalty for Disclosing HIV Status to Employer

Following a Department of Health and Human Services’ Office for Civil Rights (OCR) investigation of a complaint about a case of impermissible disclosure of PHI, St. Luke’s-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA compliance violations

In September 2014, a complaint was submitted to the OCR about a possible privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint that was submitted, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the person’s employer.

The information contained in the fax was highly sensitive, including the patient’s sexual preference, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse experienced, medical care and medications being taken. Rather than faxing the information, it should have been sent to a personal post box as requested by the patient.

The investigation identified that the incident was not the sole time that the HIPAA Privacy Rule had been breached like this. A similar incident occurred nine months earlier when a person’s PHI was sent via fax to an office where he volunteered.

The Privacy Rule violations in both of these cases were particularly serious due to the highly sensitive nature of data that was disclosed. In the resolution agreement, OCR said the impermissible disclosures were shocking.

HIPAA Rules require covered organizations to secure patients’ protected health information at all times. However, the investigation uncovered that St Luke’s had not done so on two occasions, violating 45 C.F.R. § 164.530(c)(2)(i). Further, after the first impermissible disclosure, St Luke’s did not address weaknesses in their compliance program to stop further impermissible disclosures from happening. Had those weaknesses been addressed, the second privacy violation may have been prevented altogether.

Along with paying OCR $387,200, St Luke’s must required apply a corrective action plan (C.A.P.). The CAP involves reviewing and updating policies and procedures in relation to allowable uses and disclosures of PHI and training staff members on policy and procedural updates.

OCR issued a press release with details of the HIPAA settlement in which OCR director Roger Severino said “Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI,” explaining “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards.” OCR consideration the nature of the breach and the extent of the harm caused when deciding an appropriate settlement amount.

So far in 2017 there have been nine separate HIPAA settlements between OCR and covered organizations to resolve HIPAA violations uncovered during the investigation of complaints and data breaches. At the current rate of almost two settlements a month, OCR will double last year’s record breaking number of HIPAA enforcement fines. The rise in HIPAA fines shows that OCR is taking a much tougher line on covered organizations that fail to adhere with HIPAA Rules.

Two of the most recent HIPAA fine have arisen from complaints involving violations connected to one or two patients. It can no longer be taken for granted that large scale data breaches will be the only ones that merit financial penalties. Any violation of HIPAA Rules may not lead to a HIPAA financial penalty.

Author: Maria Perez