HHS has announced another settlement:
Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Saint Joseph’s Medical Center for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Saint Joseph’s Medical Center is a non-profit academic medical center in New York that provides a full range of health care services. The settlement involved the impermissible disclosure of COVID-19 patients’ protected health information to a national media outlet.
“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”
OCR investigated Saint Joseph’s Medical Center after the Associated Press published an article about the medical center’s response to the COVID-19 public health emergency, which included photographs and information about the facility’s patients. These images were distributed nationally, exposing protected health information including patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans.
OCR determined that Saint Joseph’s Medical Center disclosed three patients’ protected health information to the Associated Press without first obtaining written authorization from the patients, therefore potentially violating the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, a covered entity (including a health care provider), may not use or disclose protected health information, except either:
- As the HIPAA Privacy Rule permits or requires; or
- The individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Therefore, regulated entities cannot disclose a patient’s protected health information to the media without first obtaining written authorization from the patient permitting the entity to do so. This includes when health care providers have print or television reporters on the premise.
Saint Joseph’s Medical Center paid $80,000 to OCR and agreed to implement a corrective action plan requiring the facility to develop written policies and procedures that comply with the HIPAA Privacy Rule. Saint Joseph’s Medical Center also agreed to train its workforce on the revised policies and procedures. Under this agreement, OCR will monitor St. Joseph’s Medical Center for two years to ensure compliance under the plan and with the law.
The resolution agreement and corrective action plan may be found at:
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjmc-ra-cap/index.html