New York City-based St. Luke's-Roosevelt Hospital Center will pay $387,200 and implement a corrective action plan as part of a HIPAA settlement to resolve allegations it inappropriately handled a patient's sensitive health information.
St. Luke's — one of New York City-based Mount Sinai Health System's seven hospitals — operates a center that provides comprehensive health services to patients with HIV, AIDS and other chronic diseases. HHS' Office for Civil Rights received a complaint in September 2014 alleging a staff member at the center disclosed a patient's protected health information to his employer, including HIV status, sexual orientation and physical abuse, among other sensitive information.
In its investigation, OCR found the staff member inappropriately faxed the patient's PHI to his employer, rather than delivering it to the requested personal post office box. OCR also discovered the center was responsible for a related privacy breach nine months prior. However, St. Luke's failed to address vulnerabilities in its compliance program to prevent future impermissible disclosures following this incident, according to OCR.
"Individuals cannot trust in a healthcare system that does not appropriately safeguard their most sensitive PHI," said OCR Director Roger Severino. "Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards."
St. Luke's emphasized its focus on patient privacy and security in a statement to Becker's Hospital Review. "We are working with HHS to meticulously review privacy and security protocols, ensuring all necessary safeguards are in place," according to the statement. "Compliance with [HIPAA] is a core tenet of our work and we will continue to remain committed to attaining the highest levels of success in this regard."
Click here to view the HHS release.