Hospital Outs HIV Patient in Stunning Privacy Rule Breach

A major hospital in one of the biggest cities in the world should have known how to handle medical records of its most vulnerable patients. A careless Privacy Rule breach cost a patient his privacy and the hospital $387,000 in penalties.

It all started with an HIV-positive patient sought treatment at New York’s St. Luke’s-Roosevelt Hospital Center. The hospital staff is known for its care of HIV patients and performs a thorough interview with all those who seek care.

Part of St. Luke’s intake process is to establish a general physical and mental health screening, a record of which is mailed to an address of the patient’s choice.

Hospital faxes sexual and mental health details to employer

One of St. Luke’s patients provided a thorough history to his intake coordinator, listing sexual history, sexual orientation, mental health issues, medications and history of physical abuse. He provided his personal post box address for any correspondence.

Rather than send the medical records to the post office box, however, St. Luke’s faxed the documents to the patient’s employer, resulting in a major Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule breach.

One Privacy Rule Breach leads to another

The patient became aware of the Privacy Rule breach and notified the Department of Health and Human Services (HHS). The Office for Civil Rights (OCR), the HHS agency tasked with investigating HIPAA violations, found that St. Luke’s had violated the Privacy Rule. As usual, during its investigation, the OCR discovered another, similar violation.

St. Luke’s settled the case for $387,000 and agreed to a lengthy Corrective Action Plan

Are you at risk for a Privacy Rule Breach?

Is your organization respecting patient communication preferences? If you’re not confident with your process, we’re here to help.