Misdirected fax causes egregious HIPAA breach, OCR says

Two misdirected faxes cost a New York City hospital $387,200 in a HIPAA settlement. St. Luke’s-Roosevelt Hospital Center, Inc., part of the Mount Sinai Health System, is the ninth entity this year to settle potential HIPAA violations with the Office of Civil Rights (OCR).

The settlement stems from a patient complaint filed with OCR in 2014, the agency said in a May 23 statement. St. Luke’s operates the Institute for Advanced Medicine, then known as the Spencer Cox Center, which provides health services to individuals with HIV/AIDS and other chronic illnesses. The patient, who was receiving treatment at the Spencer Cox Center, alleged that a staff member faxed the patient’s protected health information (PHI) to his employer rather than sending it to a personal post office box, as requested by the patient. The PHI included the patient’s HIV status, mental health diagnosis, physical abuse information, sexually transmitted infection information, sexual orientation, and medical care.

OCR’s investigators discovered that a similar breach occurred nine months before when Spencer Cox Center staff faxed a patient’s PHI to an organization at which he volunteered. However, St. Luke’s took no action to address the vulnerabilities and prevent a similar incident, according to the corrective action plan (CAP).

Although all HIPAA breaches must be reported to OCR, generally only breaches affecting 500 or more individuals are investigated. However, OCR may choose to launch a full investigation of any HIPAA breach, regardless of size. The investigation of St. Luke’s identified only two breaches, but the agency chose to act based on the highly sensitive nature of the PHI. The CAP called the impermissible disclosures “egregious.” The nature and extent of harm caused to the individuals factored into the agency’s decision to take action, OCR said in its statement.

In 2016, the agency announced that it planned to step up investigations of small breaches—breaches affecting fewer than 500 individuals. The agency uses settlement agreements as examples, and organizations are advised to learn from the mistakes of others. Human error may be inevitable, but organizations have a duty to minimize risks.