On May 23, the U.S. Department of Health and Human Services (HHS) announced that St. Luke’s-Roosevelt Hospital Center in New York City entered into a $387,200 settlement for failing to appropriately safeguard two patients’ protected health information (PHI). The impermissible disclosures of PHI were made by the Spencer Cox Center for Health, operated by St. Luke’s and now known as the Institute for Advanced Medicine, which provides healthcare to persons living with HIV or AIDS and other chronic diseases.

According to a complaint made to HHS’s Office for Civil Rights (OCR) in September 2014, a staff member at the Spencer Cox Center faxed PHI including HIV status to one patient’s employer instead of mailing it to his personal post office box as had been requested. In the course of its investigation, the OCR discovered that the Spencer Cox Center had previously inappropriately faxed another patient’s PHI to an office where he volunteered. After the earlier breach, the Center failed to address the vulnerabilities in its compliance program.

The St. Luke’s settlement comes only a few weeks after Memorial Hermann Health System reached a $2.4 million settlement with the OCR arising out of the improper disclosure of a single patient’s PHI, as discussed here. It appears that the OCR may have wished to reiterate the warning that even a breach that affects a small number of individuals may be the subject of a costly enforcement action.