Marianne Kolbasuk McGee, Gov Info Security; Big Settlement in Privacy Case Involving 2 Patients, HIV Data
"Sensitive Health Information
The high settlement amount paid by St. Luke's in a case involving privacy incidents impacting only two individuals reflects the sensitive nature of information that was breached.
"There is no doubt that OCR felt compelled to act due to the sensitivity of the PHI disclosed, that the organization should have been aware of the enhanced safeguards surrounding this type of PHI and there had been repeated occurrences of similar unauthorized disclosures," says privacy attorney David Holtzman of security firm CynergisTek.
"The message here is fix your problems when they happen," notes privacy attorney Kirk Nahra of the law firm Wiley Rein. "This was obviously a particularly sensitive piece of information, and it is possible that this also implicates a request for confidential communication or request for restriction in the HIPAA individual rights. So, while the [settlement] number may seem a bit high, this is both a repeated problem, and one that was not fixed, as well as a particularly harmful step.""