Feds settle with St. Joseph's over alleged HIPAA violation
Saint Joseph's Medical Center paid $80,000 to OCR and agreed to implement a corrective action plan.
Photo: Blanchi Costella/Getty Images
The U.S. Department of Health and Human Services' Office for Civil Rights has settled with New York-based Saint Joseph's Medical Center for potential violations of the Health Insurance Portability and Accountability Act of 1996 Privacy Rule. The settlement involved the impermissible disclosure of COVID-19 patients' protected health information to a national media outlet.
OCR investigated Saint Joseph's Medical Center after the Associated Press published an article about the medical center's response to the COVID-19 public health emergency, which included photographs and information about the facility's patients. These images were distributed nationally, exposing protected health information including patients' COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs and treatment plans.
The agency determined that St. Joseph's disclosed three patients' protected health information to the Associated Press without first obtaining written authorization from the patients, therefore potentially violating the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, a covered entity (including a healthcare provider) may not use or disclose protected health information.
The only exceptions are when the HIPAA Privacy Rule permits or requires it, or when the individual whose information is at question (or their personal representative) authorizes it in writing.
Therefore, regulated entities cannot disclose a patient's protected health information to the media without first obtaining written authorization from the patient permitting the entity to do so. This includes when healthcare providers have print or television reporters on the premises.
WHAT'S THE IMPACT?
Saint Joseph's Medical Center paid $80,000 to OCR and agreed to implement a corrective action plan requiring the facility to develop written policies and procedures that comply with the HIPAA Privacy Rule.
The hospital also agreed to train its workforce on the revised policies and procedures. Under this agreement, OCR will monitor St. Joseph's for two years to ensure compliance under the plan and with the law.
THE LARGER TREND
In 2020, OCR issued guidance addressing how HIPAA permits the use of health information exchanges to disclose protected health information for public health purposes.
A covered entity is required to provide individuals with notice that it discloses protected health information for public health activities, the guidance read.
The guidance outlines several circumstances in which such disclosures are permitted without an individual's authorization, including when the disclosure is required by federal, state, local or other law; when a health information exchange (HIE) is a business associate of the covered entity that wishes to provide the information to a public health authority; and when an HIE is acting under a grant of authority or contract with a public health authority for a public health activity.
Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com