The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has levied a $387,200 HIPAA settlement against St. Luke’s-Roosevelt Hospital Center for unlawful disclosure of patient data.
OCR was alerted to the breach in September of 2014. A patient at the Institute for Advanced Medicine (formerly the Spencer Cox Center for Health) reported that a staff member disclosed the patient’s protected health information (PHI) to the patient’s employer.
PHI is any personally identifiable information collected during patient care, including name, date of birth, Social Security number, financial information, phone number, address, and etc.
The disclosure involved highly sensitive and private data including information about the patient’s HIV status, history of medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and history of physical abuse. The staff member responsible for the breach faxed the PHI to the patient’s employer, rather than the proper PO box address as requested.
OCR’s HIPAA investigation revealed a history of non-compliance. A similar breach occurred just nine months prior to the reported incident, and St. Luke’s did nothing to address gaps in its compliance program. Once such vulnerabilities have been revealed, it’s the organization’s role to implement corrective actions to prevent future incidents.
“Individuals cannot trust in a healthcare system that does not appropriately safeguard their most sensitive PHI,” said OCR Director, Roger Severino. “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards. In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements.”
This is the ninth HIPAA settlement that OCR has reached in 2017, for a total of $17.1 million in HIPAA fines since January alone. Compare that number to $6.2 million in 2015 and $23.5 million in 2016. OCR investigations and HIPAA settlements are becoming a routine part of HIPAA enforcement. Are you doing everything you can to protect your practice with HIPAA compliance?