St. Luke’s-Roosevelt Hospital Center Inc. (the “Hospital”) (a HIPAA covered entity) committed costly mistakes when the Hospital disclosed sensitive protected health information (“PHI”) of two patients to incorrect recipients. Information regarding individuals’ HIV status, AIDS, sexually transmitted diseases, mental health, and physical abuse was involved. For one individual, the Hospital faxed the PHI to the individual’s employer instead of mailing the information to a post office box, as the individual requested.

Although the Hospital had a compliance program in place, it failed to modify the program after a separate incident occurred several months earlier, where the hospital faxed an individual’s PHI to an office where the individual volunteered. These incidents of disclosure of sensitive PHI were considered “egregious” by the HHS’s Office for Civil Rights (“OCR”).

As a result of the egregious HIPPA violations, the Hospital agreed to pay $387,200 to HHS and agreed to a three-year corrective action plan requiring the Hospital to routinely review and revise its policies and procedures regarding its handling of PHI. The OCR may have come down hard on the Hospital due to the hypersensitivity of the information disclosed. The settlement provides as a reminder that it is important to have HIPAA policies, procedures, and training in place to ensure compliance for protection of PHI and mitigation of damages caused by improper disclosure.