New York Hospital Sued for Disclosing Patient’s HIV Status to Employer

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights settled a case with Mount Sinai St. Luke’s Hospital to resolve alleged HIPAA violations over a 2014 impermissible disclosure of a patient’s HIV positive status to his employer.

St. Luke’s Hospital had faxed a document to the mailroom of the patient’s employer, rather than sending the information to a post office box as requested by the patient via his Authorization for Release of Medical Information form.

The hospital, formerly known as the Spencer Cox Center for Health, also faxed the PHI of another patient to an office where he volunteered. St. Luke’s Hospital agreed to pay OCR $387,000 to resolve the case.

St. Luke’s Hospital also agreed to a corrective action plan that required a review of its policies and procedures concerning PHI disclosures and further training of its employees. St. Luke’s Hospital accepted a mistake was made and the measures being undertaken will help to ensure similar incidents do not occur in the future. However, the hospital has refused to enter into a settlement agreement with the patient whose HIV positive status was disclosed.

The patient, a man in his 30s identified as John Doe and represented by the Law Offices of Jeffrey Lichtman, is suing St. Luke’s Hospital for negligence and negligent infliction of emotional distress.

After completing the Authorization for Release of Medical Information and requesting the records were sent to a private mailbox, a fax was sent to the patient’s place of work. The medical records were seen by mailroom staff and were handed to the patient’s supervisor.

According to the suit, “The documents delivered to our client contained information on his HIV status and care, previous diagnoses for other sexually-transmitted diseases, history of physical abuse, sexual orientation information, mental health history, prescription drug information, and social security number.”

The patient was devastated by the disclosure. He was still coming to terms with his diagnosis and had not told most of his family and friends. The stress caused by knowing his coworkers were aware of his diagnosis forced him to quit his job and lose substantial health benefits and insurance.  The increased cost of medical insurance at his new job placed him under severe financial pressure, forcing him to discontinue seeing his therapist, who was helping him cope with the exposure of his health information.

According to the lawsuit, St. Luke’s Hospital accepted this was an egregious breach and “tried to assuage our client by claiming that he was lucky just a mail room employee had received the fax with his health issues contained therein,” although no attempt was made to compensate the patient in any way for the error. The lawsuit seeks $2.5 million in damages.

This is not the only case of this nature to be filed in recent weeks. Recently, a mailing sent by a third-party vendor on behalf of Aetna resulted details of HIV medications being impermissibly disclosed. The information was visible through the clear plastic windows of envelopes. Up to 12,000 patients were affected by the error.

A lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C., over the impermissible disclosure.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.