Mount Sinai St. Luke’s Hospital in New York City paid a $387,000 settlement regarding alleged faxing of protected health information—including HIV status—to the complainant’s employer, rather than mailing it to the requested personal post office box.

Such “careless handling of HIV information” is a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, according to a press release by the U.S. Department of Health and Human Services (HHS), which received the settlement from St. Luke’s. The hospital also agreed to implement an action plan to ensure that this doesn’t happen again.

According to the HHS release, in September 2014 the HHS Office of Civil Rights (OCR) received a complaint that a staff member at the St. Luke’s-operated Spencer Cox Center for Health (now called the Institute for Advanced Medicine) had faxed the private information. The data included HIV status, mental health diagnosis, physical abuse, medications, sexual orientation and sexually transmitted infections.

What’s more, investigations revealed that this was not the first time staff at the Spencer Cox Center impermissibly faxed a patient’s information.

“Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI [protected health information],” said Roger Severino, OCR director, in the statement. “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards. In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements.”

In an article about the settlement published by Information Security Media Group (ISMG), privacy attorney Kirk Nahra of the law firm Wiley Rein notes that “the message here is fix your problems when they happen. This was obviously a particularly sensitive piece of information, and it is possible that this also implicates a request for confidential communication or request for restriction in the HIPAA individual rights. So, while the [settlement] number may seem a bit high, this is both a repeated problem, and one that was not fixed, as well as a particularly harmful step.”

As ISMG points out, St. Luke’s corrective action plan calls for the hospital to take these steps:

  • Revise as necessary written policies and procedures concerning the uses and disclosures of protected health information, including by mail, fax or other electronic transmission;
  • Distribute those policies and procedures to its workforce and update them at least annually;
  • Review and revise its training materials to include instructions on safeguarding PHI, and provide that training to its workforce.