$387,200 Fine from HHS OCR for the Improper Disclosure of PHI to an Employer and a Volunteer Organization

Kevin Coy
Arnall Golden Gregory LLP
Contact
LinkedIn
Facebook
X
Send
Embed

On May 23, 2017, the Department of Health and Human Services Office of Civil Rights (HHS OCR) announced a settlement with St. Luke’s-Roosevelt Hospital Center, part of the Mount Sinai Health System, to resolve allegations that protected health information (PHI) had been improperly been disclosed to a patient’s employer in one case, and a volunteer organization in another incident.

St. Luke’s operates the Institute for Advanced Medicine (formerly the Spencer Cox Center for Health), which provides comprehensive health services to individuals living with HIV, AIDS and other chronic conditions. In September 2014, HHS OCR received a complaint alleging that a staff member at Spencer Cox impermissibly faxed PHI about a patient to the patient’s employer rather than sending it to a post office box as had been requested. The fax included sensitive PHI including information pertaining to HIV status, sexually transmitted disease, medications, mental health diagnosis, physical abuse and other information about the individual’s care. As a result of its investigation, HHS OCR determined that approximately nine months prior to this errant fax, staff at Spencer Cox also had erroneously faxed the PHI of another patient to an office where that patient volunteered.

The settlement consisted of a fine of $387,200 and a three-year corrective action plan requiring St. Luke’s to revise its policies and procedure and train its staff. HHS OCR’s press release announcing the settlement quotes HHS OCR Director Roger Severino stating: “In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements.” The resolution agreement characterizes the violations as “egregious” given the type of PHI that was involved, specifically referencing the information about HIV, AIDS and mental health.

The case underscores the importance of safeguarding PHI as part of day-to-day operations. In this case, two errant faxes sent approximately nine months apart about two different patients, resulted in a significant HIPAA fine. The amount of the fine clearly appears to have been impacted by the type of PHI impermissibly disclosed, but the disclosure of other types of PHI in the same manner also would constitute a HIPAA violation. As a result, even if a covered entity or business associate does not regularly communicate sensitive PHI such as HIV/AIDS or mental health information, it is still important to take care when communicating PHI to third parties (by any means, not only by fax) and to train staff on how to properly communicate PHI.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Arnall Golden Gregory LLP | Attorney Advertising

Written by:

Arnall Golden Gregory LLP
Arnall Golden Gregory LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Arnall Golden Gregory LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide