Hospital Fined $387,000 for HIPAA Violation
Unlawful disclosure of protected health information (PHI) has cost a New York City hospital a $387,000 settlement with the U.S. Department of Health and Human Services (HHS).
Spencer Cox Center for Health, now the Institute for Advanced Medicine run by St. Luke’s-Roosevelt Hospital Center in New York City, was penalised following a complaint received by the HHS Office for Civil Rights (OCR) in September 2014. It was found that staff from the Spencer Cox Center, which provides care for patients with HIV/AIDS in addition to individuals suffering from other chronic diseases, faxed PHI including HIV status to a patient’s employer rather than sending it to a post office box as the patient requested.
The OCR subsequently discovered that the Spencer Cox Center had experienced a data breach nine months prior to the one in the complaint but had failed to implement safeguards or otherwise address gaps in its compliance.
“Individuals cannot trust in a healthcare system that does not appropriately safeguard their most sensitive PHI,” according to Roger Severino, director of the OCR. He went on to note that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires both covered entities and associates to identify vulnerabilities and take corrective action.
The St. Luke’s-Roosevelt settlement comes amid a steady stream of similar actions by the OCR, following high-profile breaches involving cybersecurity failures, among others. The settlement is in the same ballpark as that paid by a Colorado provider for HIPAA violations and significantly less than the $2.4 million paid by Memorial Hermann Health System.
"In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements,” Severino pointed out.
Source: Fierce Healthcare
Image Credit: GOV
Published on : Mon, 29 May 2017