Disclosure of HIV Status to Employer Results in $387,000 HIPAA Fine

by | May 25, 2017

St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations identified during an OCR investigation of a complaint about a disclosure of PHI without permission.

In September 2014, OCR was informed of a potential privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint that was made, it was alleged that a member of St Luke’s staff breached the privacy of a patient by faxing protected health information to that person’s employer.

The information contained in the fax was highly sensitive, including the patient’s sexual orientation, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse that the person suffered, medical care and medications. The data should have been sent to a personal post box as requested and not faxed.

The investigation that was carried out revealed that the incident was not the only time that the HIPAA Privacy Rule had been violated in this manner. A similar incident occurred nine months before this when an individual’s PHI was sent via fax to an office where he was a volunteer.

The Privacy Rule violations in both of these cases were particularly serious due to the highly sensitive nature of information that was made public. In the resolution agreement, OCR said the impermissible disclosures were appalling.

HIPAA Rules require covered bodies safeguard patients’ protected health information at all times. However, the investigation into the incident revealed that St Luke’s had failed to do this twice, violating 45 C.F.R. § 164.530(c)(2)(i). In addition to this, after the first impermissible disclosure, St Luke’s did not address vulnerabilities in their compliance program to prevent further impermissible disclosures from happening. Had those vulnerabilities been addressed, the second privacy violation could have been avoided.

In addition to paying OCR $387,200, St Luke’s is must adopt a Corrective Action Plan (CAP) to prevent this from happening again. The CAP includes reviewing and updating policies and procedures covering allowable uses and disclosures of PHI and training staff members on policy and procedural updates.

OCR issued a press release in which OCR director Roger Severino said “Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI”. He went on to explain that “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards.” OCR consider the nature of the breach and the extent of the harm caused when deciding an appropriate settlement amount.

As of May 2017 already there have been nine HIPAA settlements, this year, between OCR and covered entities to resolve HIPAA violations identified during the investigation of complaints and data breaches. At the current rate of almost two settlements per month, OCR will double last year’s record breaking number of HIPAA enforcement penalties. The rise in HIPAA penalties shows that OCR is taking a much harder line on covered entities that do not comply with HIPAA Rules.

Two of the more recent penalties have resulted from complaints involving HIPAA violations relating to one or two patients. It is no longer just large scale data breaches that warrant financial penalties. Any severe violation of HIPAA Rules can now result in a HIPAA fine.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy