On May 23, the U.S. Department of Health and Human Services
(HHS) announced that St. Luke's-Roosevelt
Hospital Center in New York City entered into a $387,200 settlement for failing to appropriately
safeguard two patients' protected health information (PHI). The
impermissible disclosures of PHI were made by the Spencer Cox
Center for Health, operated by St. Luke's and now known as the
Institute for Advanced Medicine, which provides healthcare to
persons living with HIV or AIDS and other chronic diseases.
According to a complaint made to HHS's Office for Civil Rights
(OCR) in September 2014, a staff member at the Spencer Cox Center
faxed PHI including HIV status to one patient's employer
instead of mailing it to his personal post office box as had been
requested. In the course of its investigation, the OCR discovered
that the Spencer Cox Center had previously inappropriately faxed
another patient's PHI to an office where he volunteered. After
the earlier breach, the Center failed to address the
vulnerabilities in its compliance program.
The St. Luke's settlement comes only a few weeks after Memorial
Hermann Health System reached a $2.4 million settlement with the
OCR arising out of the improper disclosure of a single
patient's PHI, as discussed
here. It appears that the OCR may have wished to reiterate the
warning that even a breach that affects a small number of
individuals may be the subject of a costly enforcement action.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.