Healthcare entities have received another warning from the Office for Civil Rights (“OCR”) concerning yet another aspect of HIPAA compliance. OCR’s settlement with St. Luke’s-Roosevelt Hospital Center (“St. Luke’s”) focuses on controlling when and how PHI is released. St.Luke’s disclosure of sensitive PHI, in two instances, turned into a $387,200 fine and settlement.
What exactly happened? That is an interesting question as there is a noticeable difference in detail between the official Resolution Agreement and the description in OCR’s press release. The Resolution Agreement blandly states that an individual complained following disclosure of sensitive information by St. Luke’s to the complainant’s employer, which information contained HIV, AIDS, and mental health information. The Resolution Agreement goes on to state that another individual’s records were also faxed to the wrong place and both instances occurred contrary to express instructions from the individuals.
In contrast, the press release provides greater detail as to the type of sensitive information of the complainant’s that was disclosed to the complainant’s employer. The information contained the items already described as well as information about different types of abuse. As indicated, that information was faxed to the complainant’s employer instead of being mailed to a designated P.O. Box as requested. Further, the other improper transmission occurred prior to the event described by the complainant.
The fact that the second issue occurred first, helps demonstrate why OCR found the incident identified by the complainant more troubling. The chronologically first event involved sensitive information of another individual and happened nine (9) months prior to the complainant’s incident. In the intervening months, St. Luke’s did not to address vulnerabilities and prevent the recurrence of an impermissible disclosure. Clearly, organizations must be careful in how PHI is not only handled but how it is sent out.
However, the settlement raises a number of questions. It is probably a safe bet that PHI is sent to the wrong place all of the time by providers or other covered entities, but fines do not usually follow. Why was St. Luke’s set up as an example? Did the nature of the information involved, i.e. HIV/AIDS, mental health, and abuse, influence the decision? Did the multiple incidents in a nine month period influence OCR in its thinking? Did further incriminating facts exist that were not included in either the Resolution Agreement or the press release? All of those questions will remain unanswered unless St. Luke’s volunteers the information.
In the absence of additional information, examination of the details reports can provide some illumination. The dual heavy emphasis on the PHI being of an especially sensitive nature and being sent to an employer seem to have factored significantly in OCR’s decision to impose an arguably hefty fine. Individuals should be secure in the trust given to healthcare organizations and such trust is especially important when it concerns disclosure of PHI. PHI cannot be sent just anywhere, especially when instructions are provided as to how and where disclosure should be made. Such concerns become heightened when information involves traditionally stigmatized issues.
In light of the somewhat vague nature of the settlement, what takeaways are being imparted? First, requests on how to disclose PHI must be honored. Individuals ask that PHI be sent to specific places for a reason. It is easy to assess that sending very personal information to an employer does not place high on any individual’s list of priorities. Second, sensitive information will result in stricter scrutiny. Such scrutiny arises for the reasons already discussed. Third, OCR continues to cherry pick issues of non-compliance and subsequent violations deriving from the same conduct will likely face worse penalties.
As has often been the case recently, the healthcare industry has been warned. Entities should ignore such warning at their own peril.