St. Luke’s-Roosevelt Hospital Center Inc. paid the Department of Health and Human Services (HHS) nearly $400,000 in a recent HIPAA settlement after an employee improperly disclosed the HIV status and other restricted protected health information to the patient’s employer.

In a press release from May 23, the Office for Civil Rights (OCR) provided details regarding the HIPAA settlement. In September 2014, the OCR received a complaint from a patient at St. Luke’s Roosevelt Hospital Center Inc. (St. Luke’s) alleging that an employee of the Institute for Advanced Medicine, formerly the Spencer Cox Center for Health, disclosed protected health information to the patient’s employer. The information included the patient’s HIV status, sexual orientation, sexually transmitted diseases, medications, and mental health diagnosis.

Most of this type of information is typically regarded differently than other protected health information, as it can adversely affect a patient if the wrong people receive the information. Many offices and hospitals have extra steps that must be taken before this type of information is released. This case is a perfect example of why those steps should be used by all facilities, regardless of size.

Additionally, during the investigation, the OCR discovered there was a previous breach at the Spencer Cox Center about nine months before the incident in September, and the vulnerabilities that led to that breach were not addressed. Had the vulnerabilities that led to the first breach been addressed, this more recent one may not have occurred. The OCR gave St. Luke’s the lofty fine because the hospital did not clearly make steps to address the issues discovered with the first breach, and because the lack of change left the door open for this very serious second breach to occur. All health care organizations should continually review, evaluate, change, and implement their HIPAA practices in order to best safeguard PHI.

Roger Severino, the OCR director stated “… in exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements.” Essentially, part of the reason this settlement is so high is that mental health and HIV records, which are considered especially sensitive types of health information, were involved.

To learn more about protecting sensitive PHI, start using our HIPAA compliance tool today.