OCR Announces HIPAA Settlement for Careless Handling of HIV Information.

Date posted: July 3, 2017

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently reported that St. Luke’s-Roosevelt Hospital Center Inc. (St. Luke’s) paid $387,200 as part of a Health Insurance Portability and Accountability Act (HIPAA) settlement.  St. Luke’s also agreed to implement a comprehensive corrective action plan (CAP) to settle the HIPAA Privacy Rule violations.  St. Luke’s provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases.  The compliance review was initiated when OCR responded to a complaint alleging that a St. Luke’s staff member made an impermissible disclosure of a patient’s protected health information (PHI) to the complainant’s employer.  The alleged disclosure included sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse.  OCR found that St. Luke’s staff impermissibly faxed the patient’s PHI to his employer rather than sending it to the requested personal post office box.  OCR also found another related breach that occurred nine months earlier; however, St. Lukes had not addressed the vulnerabilities in their compliance program, since then, to prevent impermissible disclosures.

The full article is available at:


‹ Return to the Main News Page
‹ Return to the CRC Homepage