Hospital Sued After Informing Employer of Patient’s HIV Status

The Department of Health and Human Services’ Office for Civil Rights, earlier in 2017, settled a case with Mount Sinai St. Luke’s Hospital to resolve alleged breaches of HIPAA following  a 2014 impermissible disclosure of a patient’s HIV positive status to his employer.

St. Luke’s Hospital had sent a document to the patient’s employer, instead of sending the information to a post office box as requested by the patient via his Authorization for Release of Medical Information form.

The hospital, previously known as the Spencer Cox Center for Health, also faxed the PHI of another patient to the center where he volunteered. St. Luke’s Hospital agreed to pay OCR $387,000 to settle the case.

St. Luke’s Hospital also agreed to a implement a corrective action plan that required a review of its policies and procedures concerning PHI disclosures and further training of its staff. St. Luke’s Hospital accepted a mistake was made and the measures being undertaken will help to ensure similar incidents do not happen in the future. However, the hospital has refused to enter into a settlement agreement with the patient whose HIV positive status was released without permission.

The patient, a man in his 30s named only as John Doe and represented by the Law Offices of Jeffrey Lichtman, is takign a legal action against St. Luke’s Hospital for negligence and negligent infliction of emotional distress.

After completing the Authorization for Release of Medical Information and asking the records be sent to a private mailbox, a fax was sent to the patient’s place of work. The medical records were viewed by mailroom staff and were handed to the patient’s supervisor.

According to the details of the suit, “The documents delivered to our client contained information on his HIV status and care, previous diagnoses for other sexually-transmitted diseases, history of physical abuse, sexual orientation information, mental health history, prescription drug information, and social security number.”

The patient was traumatized by the disclosure. It occurred while he was still coming to terms with his diagnosis and had not told most of his family and friends. The stress caused by knowing his coworkers were aware of his diagnosis led him to quit his job and lose substantial health benefits and insurance.  The increased cost of medical insurance at his new job put him under severe financial pressure, forcing him to discontinue seeing his therapist, who had been helping him cope with the exposure of his health information.

According to the lawsuit, St. Luke’s Hospital agreed this was an egregious breach and “tried to assuage our client by claiming that he was lucky just a mail room employee had received the fax with his health issues contained therein,” although no effort was made to compensate the patient in any way for the professional mistake. The lawsuit seeks $2.5 million in damages for the patient.

This is not the sole legal case of this nature to be filed in recent weeks. Recently, a mailing sent by a third-party vendor on behalf of Aetna led to details of HIV medications being disclosed without permission. The information was clearly visible through the plastic windows on the envelopes. Up to 12,000 patients were affected by the mistake.

A lawsuit has been submitted in the U.S. District Court for the Eastern District of Pennsylvania by The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C., over the impermissible disclosure of the information.