“Egregious” Disclosures by Hospital of Patients’ HIV Information in Violation of HIPAA Privacy Rule Requires $387,200 Payment to the U.S Department of Health and Human Services

Court and Agency Decisions and Orders (including case law)

St. Luke’s - Roosevelt Hospital Center (“St. Luke’s”), located in New York City, entered into a Resolution Agreement, dated May 8, 2017 (the “Agreement”) with the U.S. Department of Health and Human Services (“HHS”), to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (the “Rule”).  The goal of the Rule is to assure that an individual’s health information is protected while allowing that information to be disclosed under certain conditions. The Agreement was related to disclosure of the private health information (“PHI”) of two patients by staff of St. Luke’s Institute for Advanced Medicine, formerly the Spencer Cox Center for Health.

The “impermissible disclosures,” about HIV, AIDS and mental health, were “egregious.”  The Corrective Action Obligations in the Agreement require St. Luke’s to: (1) pay HHS $387,200; (2) review and revise as necessary the hospital’s policies and procedures regarding use and disclosure of PHI; (3) distribute all related HIPPA policies and procedures to its workforce, and (4) review and revise training materials on PHI as necessary.