Hospital Sued After Informing Employer of Patient’s HIV Status

by | Sep 15, 2017

The Department of Health and Human Services’ Office for Civil Rights, earlier in 2017, settled a case with Mount Sinai St. Luke’s Hospital to resolve alleged breaches of HIPAA following  a 2014 impermissible disclosure of a patient’s HIV positive status to his employer.

St. Luke’s Hospital had sent a document to the patient’s employer, instead of sending the information to a post office box as requested by the patient via his Authorization for Release of Medical Information form.

The hospital, previously known as the Spencer Cox Center for Health, also faxed the PHI of another patient to the center where he volunteered. St. Luke’s Hospital agreed to pay OCR $387,000 to settle the case.

St. Luke’s Hospital also agreed to a implement a corrective action plan that required a review of its policies and procedures concerning PHI disclosures and further training of its staff. St. Luke’s Hospital accepted a mistake was made and the measures being undertaken will help to ensure similar incidents do not happen in the future. However, the hospital has refused to enter into a settlement agreement with the patient whose HIV positive status was released without permission.

The patient, a man in his 30s named only as John Doe and represented by the Law Offices of Jeffrey Lichtman, is takign a legal action against St. Luke’s Hospital for negligence and negligent infliction of emotional distress.

After completing the Authorization for Release of Medical Information and asking the records be sent to a private mailbox, a fax was sent to the patient’s place of work. The medical records were viewed by mailroom staff and were handed to the patient’s supervisor.

According to the details of the suit, “The documents delivered to our client contained information on his HIV status and care, previous diagnoses for other sexually-transmitted diseases, history of physical abuse, sexual orientation information, mental health history, prescription drug information, and social security number.”

The patient was traumatized by the disclosure. It occurred while he was still coming to terms with his diagnosis and had not told most of his family and friends. The stress caused by knowing his coworkers were aware of his diagnosis led him to quit his job and lose substantial health benefits and insurance.  The increased cost of medical insurance at his new job put him under severe financial pressure, forcing him to discontinue seeing his therapist, who had been helping him cope with the exposure of his health information.

According to the lawsuit, St. Luke’s Hospital agreed this was an egregious breach and “tried to assuage our client by claiming that he was lucky just a mail room employee had received the fax with his health issues contained therein,” although no effort was made to compensate the patient in any way for the professional mistake. The lawsuit seeks $2.5 million in damages for the patient.

This is not the sole legal case of this nature to be filed in recent weeks. Recently, a mailing sent by a third-party vendor on behalf of Aetna led to details of HIV medications being disclosed without permission. The information was clearly visible through the plastic windows on the envelopes. Up to 12,000 patients were affected by the mistake.

A lawsuit has been submitted in the U.S. District Court for the Eastern District of Pennsylvania by The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C., over the impermissible disclosure of the information.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy