Egregious HIPAA Breach Punished with $378,000 Fine

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced yet another settlement to resolve HIPAA violations, this time for the careless handling of extremely sensitive health information.

St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $378,000 to resolve an impermissible disclosure of patients’ protected health information to their employers. A wide range of highly sensitive information including patients’ HIV statuses, sexual orientation, sexual diseases, mental health diagnosis, medications, history of physical abuse, and details of medical care provided were impermissibly disclosed. The disclosures violated the HIPAA Privacy Rule.

The disclosures were made by the Spencer Cox Center – now St. Luke’s Institute for Advanced Medicine, one of seven hospitals operated by the Mount Sinai Health System.

OCR investigated the privacy breach after receiving a complaint about an impermissible disclosure in September 2014. Staff at Spencer Cox Center had faxed the highly sensitive PHI to a patient’s employer, rather than sending it to a personal post box.

OCR also discovered that nine months previously the PHI of another patient was faxed to an office where that individual volunteered. Even though that initial privacy violation was an impermissible disclosure under HIPAA Rules, Spencer Cox Center had failed to implement controls to prevent further privacy breaches. OCR said the impermissible disclosures were egregious.

Both of those disclosures were against patients’ wishes. OCR claims that in both instances, the patients had expressed instructions that were not followed. OCR determined that the Spencer Cox Center had failed to safeguard both patients’ PHI, leading to the exposure of highly sensitive information.

In the press release announcing the HIPAA settlement, OCR Director Roger Severino said “Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI.”

Severino also explained that “OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements.”

Last year was a record breaking year for HIPAA settlements. 12 settlements were agreed with HIPAA covered entities and one CMP was issued. Last year’s total looks set to be eclipsed. There have already been nine HIPAA settlements reached with covered entities in 2017 and May is not yet over.

OCR is sending a clear message to healthcare organizations. HIPAA violations will be discovered and heavy financial penalties await organizations that fail to comply with HIPAA Rules.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of