St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations identified during an OCR investigation of a complaint about a disclosure of PHI without permission.
In September 2014, OCR was informed of a potential privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint that was made, it was alleged that a member of St Luke’s staff breached the privacy of a patient by faxing protected health information to that person’s employer.
The information contained in the fax was highly sensitive, including the patient’s sexual orientation, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse that the person suffered, medical care and medications. The data should have been sent to a personal post box as requested and not faxed.
The investigation that was carried out revealed that the incident was not the only time that the HIPAA Privacy Rule had been violated in this manner. A similar incident occurred nine months before this when an individual’s PHI was sent via fax to an office where he was a volunteer.
The Privacy Rule violations in both of these cases were particularly serious due to the highly sensitive nature of information that was made public. In the resolution agreement, OCR said the impermissible disclosures were appalling.
HIPAA Rules require covered bodies safeguard patients’ protected health information at all times. However, the investigation into the incident revealed that St Luke’s had failed to do this twice, violating 45 C.F.R. § 164.530(c)(2)(i). In addition to this, after the first impermissible disclosure, St Luke’s did not address vulnerabilities in their compliance program to prevent further impermissible disclosures from happening. Had those vulnerabilities been addressed, the second privacy violation could have been avoided.
In addition to paying OCR $387,200, St Luke’s is must adopt a Corrective Action Plan (CAP) to prevent this from happening again. The CAP includes reviewing and updating policies and procedures covering allowable uses and disclosures of PHI and training staff members on policy and procedural updates.
OCR issued a press release in which OCR director Roger Severino said “Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI”. He went on to explain that “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards.” OCR consider the nature of the breach and the extent of the harm caused when deciding an appropriate settlement amount.
As of May 2017 already there have been nine HIPAA settlements, this year, between OCR and covered entities to resolve HIPAA violations identified during the investigation of complaints and data breaches. At the current rate of almost two settlements per month, OCR will double last year’s record breaking number of HIPAA enforcement penalties. The rise in HIPAA penalties shows that OCR is taking a much harder line on covered entities that do not comply with HIPAA Rules.
Two of the more recent penalties have resulted from complaints involving HIPAA violations relating to one or two patients. It is no longer just large scale data breaches that warrant financial penalties. Any severe violation of HIPAA Rules can now result in a HIPAA fine.