May 2017—–The U.S. Department of Health & Human Services(HHS), Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on impermissible disclosure of protected health information (PHI). St. Luke’s-Roosevelt Hospital Center Inc. (St. Luke’s) has paid HHS $387,200 to settle potential violations of the HIPAA Privacy Rule and agreed to implement a comprehensive corrective action plan. St. Luke’s operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health (the Spencer Cox Center), which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases. St. Luke’s is 1 of 7 hospitals that comprise the Mount Sinai Health System (MSHS).
In September 2014, OCR received a complaint alleging that a staff member from the Spencer Cox Center impermissibly disclosed the complainant’s PHI to the complainant’s employer. This impermissible disclosure included sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse. OCR’s subsequent investigation revealed that staff at the Spencer Cox Center impermissibly faxed the patient’s PHI to his employer rather than sending it to the requested personal post office box. Additionally, OCR discovered that the Spencer Cox Center was responsible for a related breach of sensitive information that occurred nine months prior to the aforementioned incident but had not addressed the vulnerabilities in their compliance program to prevent impermissible disclosures.