'Careless handling' of private patient information leads to $387,000 HIPAA fine for St. Luke's-Roosevelt

Settlement stems from 2014 OCR complaint that staff member from Spencer Cox Center disclosed a patient's protected health information.
By Beth Jones Sanborn
10:32 AM
St. Luke's-Roosevelt HIPAA fine

St. Luke's-Roosevelt Hospital Center, part of New York's Mount Sinai Health System, has paid the Department of Health and Human Services $387,200 to settle potential HIPAA violations stemming from a complaint that alleged the organization had mishandled sensitive patient information, HHS announced Tuesday.

The complaint was lodged with the HHS Office for Civil Rights in September 2014 against the Spencer Cox Center for Health. The Center is now known as the Institute for Advanced Medicine, which is part of the Mount Sinai system, and provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases.

[Also: Advocate Health Care to pay $5.6 million for potential HIPAA violations, the largest settlement yet for a single entity]

The complaint said a staff member from the Center improperly disclosed the complainant's protected health information to their employer, including HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse.

"OCR's subsequent investigation revealed that staff at the Spencer Cox Center impermissibly faxed the patient's PHI to his employer rather than sending it to the requested personal post office box," OCR said in a statement.

OCR say they also found the Center was responsible for a related breach of sensitive information nine months before but had failed to deal with vulnerabilities in their compliance program to prevent such disclosures.

[Also: Memorial Healthcare System pays $5.5 million to settle HIPAA suit over lack of audit controls]

"Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI," said Roger Severino, OCR director. "Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards. In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements."

St. Luke's has agreed to a corrective action plan that requires a review and possible revision of policies and procedures related to the usage and disclosure of PHI as well as review and possible revision of training materials to include safeguarding PHI.

Twitter: @BethJSanborn