In this case, an investigation by the HHS Office for Civil Rights (OCR) found that an employee who worked at a center dedicated to treating patients with HIV/AIDs and other chronic diseases had faxed a patient's protected health information to a patient's employer, rather than the patient's personal post office box, as the patient had requested.
The fax contained details about the patient's health and personal history and medical treatment, including HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis and physical abuse, according to the May 24 press release issued by OCR.
During the investigation, which was triggered by a complaint the patient filed in 2014, OCR also found that the disclosure was the center's second such incident in less than a year. Nine months earlier, an employee at the center had sent another patient's information to a place where that patient volunteered. According to OCR, the center "had not addressed the vulnerabilities in their compliance program to prevent impermissible disclosures."
St. Luke's will pay $387,200 to settle allegations and enter into a
corrective action plan. In the accompanying resolution agreement, OCR noted that the disclosure of information related to the diagnosis or treatment of HIV/AIDS and mental health conditions was egregious and that the disclosures had occurred against the patients expressed instructions.