On September 12, 2014, the OCR received a complaint alleging that the Spencer Cox Center disclosed sensitive PHI information including HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis and physical abuse. St. Luke’s-Roosevelt Hospital Center Inc., which operates the Spencer Cox Center, entered a resolution agreement and corrective action plan with the OCR for possible HIPAA violations and has paid a $387,200 fine.
A Simple Mistake?
The OCR investigation found that St. Luke’s disclosed PHI of two patients by faxing PHI to the employer of one patient and faxing PHI to an office where the second patient volunteered. The OCR stated that St. Luke’s failed to reasonably safeguard the patients’ PHI from “intentional or unintentional disclosure.”
The OCR’s resolution agreement requires St. Luke’s to:
- Review and if necessary, revise, its policies and procedures concerning the uses and disclosures of PHI including mailing, faxing or other electronic PHI transmission.
- Distribute the policies and procedures to new hires and current employees, and obtain a signed compliance certification from each workforce member.
- Assess, update and revise the policies and procedures at least annually.
- Review and revise training programs pertaining to the safeguarding of PHI.
- Train new and existing employees on PHI safeguards.
- Review training at least annually and when there are updates needed to address changes in Federal law or HHS guidance, or any issues discovered during internal audits or reviews.
- Block PHI access to any employees that has not certified receipt of safeguarding PHI policies and procedures.
This Has Happened Before
In 2010, a St. Louis man filed a lawsuit alleging that Quest wrongfully disclosed his HIV status when it faxed his lab results to his employer. The patient’s doctor wrote the patient’s work fax number on a lab order, so that office staff could fax the order to the patient at work. The patient took the order to Quest, who ran the labs, and faxed the results to the patient at work. Quest mistakenly believed the fax number was written on the order so that Quest would fax the results to the patient’s employer. Six months after the fax was received, the patient was terminated.
The doctor argued that the lab results did not reveal the patient’s HIV status. And, the employer claimed it already knew the patient was HIV positive, and terminated his employment for financial reasons.
Still, Quest had to pay to defend this lawsuit. It is easy to imagine the dire consequences when a fax is misdirected, especially when that fax contains sensitive information.
Could This Happen To You?
The OCR resolution agreement provides a roadmap for all providers to address similar issues. This settlement is one example of how a mistake can lead to a hefty HIPAA fine. Use your HIPAA Security Risk Analysis process, plus HIPAA Walk-Through audits, to identify areas where your employees could be making inadvertent or sloppy mistakes that could jeopardize patient confidentiality.