St. Luke’s Hospital Pays $387,000 to OCR for Disclosing Patient’s HIV Status to His Employer

Mount Sinai St. Luke’s Hospital settled a case with the Department of Health and Human Services’ Office for Civil Rights earlier this year. The 2014 case involved alleged HIPAA violations over an impermissible disclosure of a patient’s HIV positive status to his employer.

Instead of only mailing the document to the patient’s private mailbox as requested via his Authorization for Release of Medical Information form, St. Luke’s Hospital made the mistake of additionally faxing the document to the mailroom of the patient’s employer. The hospital, when it was still called Spencer Cox Center for Health, did a similar mistake by faxing the PHI of another patient to the office where he worked.

To settle the issue, St. Luke’s Hospital agreed to pay $387,000 to OCR. In addition, the hospital will take corrective actions such as reviewing the policies and procedures regarding PHI disclosures and re-training of the employees to ensure similar incidents won’t happen again in the future. But St. Luke’s refused to enter into any settlement agreement with the patient.

The patient, identified as John Doe and represented by the Law Offices of Jeffrey Lichtman, sued St. Luke’s Hospital for negligence and negligent infliction of emotional distress. According to the suit, the mailroom staff and the patient’s supervisor saw his medical records. Information contained in the documents included his HIV status and care, history of physical abuse, previous diagnoses of sexually-transmitted diseases, sexual orientation information, prescription drug details, mental health history and social security number.

The disclosure of positive HIV status devastated the patient. He still hadn’t told all of his family and friends about his diagnosis as he was still coping with his condition. The pressure of knowing his co-workers knew about his diagnosis forced him to quit his job. As a result, he lost substantial health benefits and insurance. His new job had higher medical insurance costs so he stopped seeing his therapist.

St. Luke’s Hospital admitted to the egregious breach but made no attempts to compensate the patient. The hospital only told the patient that he was lucky only the mailroom employee saw the documents about his health issues. The lawsuit wants the hospital to pay $2.5 million in damages.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at