Impermissible Disclosure of HIV Information Results in $387,000 HIPAA Settlement
St. Luke’s-Roosevelt Hospital Center, Inc. (SLRHC), a member of the New York-based Mount Sinai Health System, paid $387,000 to the U.S. Department of Health and Human Services (HHS) and entered into a corrective action plan (CAP) to resolve allegations related to the impermissible disclosure by fax of a patient’s HIV status to the patient’s employer. The patient had requested the protected health information (PHI) be sent to his personal post office box.
According to the HHS press release, SLRHC operates the Institute for Advanced Medicine (the Institute) (formerly the Spencer Cox Center for Health), which provides an array of health services for individuals living with HIV, AIDS and other chronic diseases. In 2014, the HHS Office for Civil Rights (OCR) received a complaint that an Institute staff person improperly disclosed PHI – HIV status, medical care, sexually transmitted diseases, medications, sexual orientation and mental health diagnosis - to the patient’s employer. As part of its investigation of the complaint, the OCR discovered that the Institute had made another impermissible disclosure of sensitive PHI nine months earlier and the Institute had not addressed those vulnerabilities as part of its compliance program to prevent impermissible disclosures from recurring.
SLRHC agreed to do each of the following as part of the three-year CAP:
- review and revise its policies and procedures concerning the uses and disclosures of PHI by mail, fax, or other means to ensure necessary HIPAA privacy and security compliance is in place;
- distribute the revised policies after they are approved by HHS to members of its workforce, and provide training with respect to the policies; and
- conduct a prompt investigation of any alleged future violation of the policies and procedures.
SLRHC did not admit any liability as part of the settlement.
The SLRHC resolution and settlement is an important reminder of the safeguards that must be in place related to the disclosure of PHI, including “extra sensitive” PHI (e.g., HIV/AIDs; drug and alcohol; and mental health information) and the ramifications for the failure to do so.
HHS and OCR take seriously HIPAA’s protections for an individual’s PHI, including “extra sensitive” PHI. Disclosing the HIV status or other PHI to the wrong individual can have significant repercussions to the affected individual. Covered entities and business associates must ensure proper precautions are in place with respect to the disclosure of all PHI.
This is the sixth settlement announced by the Trump Administration. Summaries of the most recent three settlements may be found here:
- Inappropriate Disclosure of a Single Patient Name Results in $2.4 Million HIPAA Settlement
- First HIPAA Settlement Involving a Wireless Health Services Provider
- Phishing Incident Leads to $400,000 HIPAA Settlement
Saul Ewing attorneys counsel and assist covered entities and business associates with respect to HIPAA Privacy Rule and Security Rule compliance. For more information about Saul Ewing’s HIPAA compliance practice, please contact the authors or the Saul Ewing attorney with whom you are regularly in contact.