Errant faxes net St. Luke’s-Roosevelt a data privacy $387,200 fine
St. Luke’s-Roosevelt Hospital Center has been sanctioned by federal agencies after the New York provider faxed extremely sensitive protected health information on two patients to their employers on two occasions during 2014.
The faxes were to have gone to the patients instead. Because of the release of their health information, St. Luke’s, part of Mount Sinai Health System, has paid a $387,200 fine to the HHS Office for Civil Rights to settle violations of the HIPAA privacy rule. In addition, the hospital has entered into a three-year corrective action plan.
St. Luke’s operates the Institute for Advanced Medicine, known during the time of the incidents as the Spencer Cox Center for Health, offering treatment to persons with HIV or AIDS. In September 2014, OCR received a complaint from a patient that his PHI had been faxed to his employer rather than sent to a personal post office box, as he requested.
The PHI included information on HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis and physical abuse, according to OCR.
During the investigation of that breach, OCR learned of another similar situation that occurred earlier in 2014; at that time, St. Luke’s had not addressed vulnerabilities to prevent impermissible disclosures, according to the agency.
“Individuals cannot trust in a healthcare system that does not appropriately safeguard their most sensitive PHI,” OCR Director Roger Severino said in a statement. “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards.”
Under the resolution agreement, St. Luke’s agreed to review and revise policies and procedures on uses and disclosures of PHI, ensure that all employees understand the policies and procedures, update policies and procedures at least annually, review and revise training materials if necessary, and retrain all employees on HIPAA procedures by the end of October and annually thereafter, and provide specific training to employees responsible for faxing and transmitting protected health information.
St. Luke's and Mount Sinai West issued the following statement on the incidents and punishment:
"Patient privacy and security is a top priority at Mount Sinai St. Luke's and Mount Sinai West. We are working with HHS to meticulously review privacy and security protocols, ensuring all necessary safeguards are in place. Compliance with the Health Insurance Portability and Accountability Act is a core tenant of our work, and we will continue to remain committed to attaining the highest levels of success in this regard."
St. Luke’s corrective action plan is available here.