News & Insights

Faxed HIV Information Costs Hospital $387K

June 07, 2017

Faxed HIV Information Costs Hospital $387K

St. Luke’s-Roosevelt Hospital Center, Inc. recently paid more than $387,000 on behalf of one of its affiliate entities, the Institute of Advanced Medicine (formerly the Spencer Cox Center). This payout to the HHS Office for Civil Rights (OCR) settled potential HIPAA violations resulting from the mishandling of sensitive information concerning a patient’s HIV status faxed to an unintended recipient. In addition to this financial settlement, St. Luke’s has also agreed to implement a comprehensive corrective action plan to prevent this mistake in the future.

The OCR received a complaint in 2014 alleging that a staff member from the Spencer Cox Center impermissibly disclosed a patient’s protected health information (PHI), including sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis and physical abuse, to his or her employer. The OCR investigation found that a Spencer Cox Center staff member was responsible for faxing the patient’s PHI to his employer rather than mailing it to the requested personal post office box.

In addition to this incident, the OCR investigation also found that the Spencer Cox Center was responsible for a prior breach of sensitive information and had not addressed their compliance program in the nine months since to prevent future impermissible disclosures. The earlier violation combined with further noncompliance resulted in this severe penalty.

According to OCR Director Roger Severino in an article from HHS, “covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards.”

The full Resolution Agreement and Corrective Action Plan may be found on the OCR website here.

To learn more about non-discrimination and health information privacy laws, including civil rights and privacy rights in healthcare and human service settings, please click here.

For consultation about PHI disclosure best practices or to review your HIPAA compliance protocols, contact your local LAMMICO Risk Management and Patient Safety representative or dial 504.841.5211.

 

Recommended Reading For You

LAMMICO Lagniappe: Calm Amidst Claims

Read More

Protecting PHI From a Former Employee

Read More

Protect Your Income

Read More

Newsletters:

Annual Reports:

Receive Regular Updates: