Big Settlement in Privacy Case Involving 2 Patients, HIV DataIncidents Involved Faxing of Sensitive Information
A New York City hospital has paid a hefty HIPAA settlement to federal regulators for privacy breaches that impacted just two patients but involved the impermissible disclosure of sensitive medical information, including HIV status.
In a May 23 statement, the Department of Health and Human Services' Office for Civil Rights said St. Luke's-Roosevelt Hospital Center has paid $387,000 and agreed to a corrective action plan to settle a case involving "careless handling of HIV information."
St. Luke's, which is one of seven hospitals in the Mount Sinai Health System, operates the Institute for Advanced Medicine, formerly called the Spencer Cox Center for Health. OCR says that in September 2014, it received a complaint alleging that a Spencer Cox Center staff member impermissibly disclosed the complainant's protected health information to the individual's employer.
"This impermissible disclosure included sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis and physical abuse," OCR says. The agency's subsequent investigation revealed that staff at the Spencer Cox Center impermissibly faxed the patient's PHI to his employer rather than sending it to the requested personal post office box.
In addition, during its investigation, OCR discovered that the Spencer Cox Center was responsible for another breach of sensitive information that occurred nine months earlier "but had not addressed the vulnerabilities in their compliance program to prevent impermissible disclosures," OCR says.
The resolution agreement between OCR and St. Luke's notes, that in that earlier case, the hospital inappropriately faxed similar sensitive PHI of another patient to an office at which the individual volunteered, against the patient's expressed instructions.
"Individuals cannot trust in a healthcare system that does not appropriately safeguard their most sensitive PHI," Roger Severino, OCR director, says in the statement. "Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards."
Sensitive Health Information
The high settlement amount paid by St. Luke's in a case involving privacy incidents impacting only two individuals reflects the sensitive nature of information that was breached.
"There is no doubt that OCR felt compelled to act due to the sensitivity of the PHI disclosed, that the organization should have been aware of the enhanced safeguards surrounding this type of PHI and there had been repeated occurrences of similar unauthorized disclosures," says privacy attorney David Holtzman of security firm CynergisTek.
"The message here is fix your problems when they happen," notes privacy attorney Kirk Nahra of the law firm Wiley Rein. "This was obviously a particularly sensitive piece of information, and it is possible that this also implicates a request for confidential communication or request for restriction in the HIPAA individual rights. So, while the [settlement] number may seem a bit high, this is both a repeated problem, and one that was not fixed, as well as a particularly harmful step."
This isn't the first settlement that OCR has signed in a case involving the mishandling of HIV information. In 2011, Massachusetts General Hospital and its physicians organization entered into a resolution agreement that included paying a $1 million settlement and taking corrective action in a 2009 case involving the loss on a subway train of paper scheduling documents containing information on 192 patients, including some with HIV/AIDS.
Corrective Action Plan
Besides the financial settlement, under the resolution agreement with OCR, St. Luke's agreed to a corrective action plan that calls for the hospital to:
- Revise as necessary written policies and procedures concerning the uses and disclosures of protected health information, including by mail, fax or other electronic transmission;
- Distribute those policies and procedures to its workforce and update them at least annually;
- Review and revise its training materials to include instructions on safeguarding PHI, and provide that training to its workforce.
In a statement provided to Information Security Media Group, St. Luke's says: "Patient privacy and security is a top priority at Mount Sinai St. Luke's ...We are working with HHS to meticulously review privacy and security protocols, ensuring all necessary safeguards are in place. Compliance with HIPAA is a core tenent of our work, and we will continue to remain committed to attaining the highest levels of success in this regard."
Small Breaches, Big Impact
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine note that while larger breaches tend to get the spotlight, OCR has over the years received "hundreds of thousands" of breach reports involving incidents impacting fewer than 500 individuals, and in many cases, affecting just one or two people.
"These often involve issues such as misdirected faxes," he says. OCR has signaled, however, that it is ramping up its attention to some of these smaller cases, he notes.
"Last year, OCR sent out a bulletin that it was going to focus more on smaller breaches, especially where a covered entity or business associate repeatedly has similar small breaches. While the [St. Luke's] incident preceding OCR's announcement about small breaches, I think this settlement represents OCR following through on last year's promise," Greene says.
Lessons to Learn
Although the St. Luke's case involved the faxing of sensitive PHI, all organizations should keep some lessons in mind when it comes to any disclosure of PHI.
"Covered entities and business associates should re-examine their policies and processes for responding to requests by patients to receive copies of their PHI or in directing where they are to be sent," Holtzman says.
Healthcare entities should "ensure that front-line personnel responsible for responding to patient requests for copies of their PHI are trained to recognize and fulfill the directions from the individual on receipt of the communications," he adds. "Management should put into place processes to audit the performance of front line personnel to ensure compliance with policies and procedures as well as meeting patient expectations for delivery their requests for copies of their PHI."
Greene notes that while healthcare organizations should continue to focus on such areas as risk analysis and encryption, the St. Luke's case "is a reminder that they should also ensure that there are strong safeguards surrounding hard-copy information, such as processes to double-check that faxes are being sent to the right recipient."