HHS’s Office for Civil Rights (OCR) has agreed to a settlement with St. Joseph’s Medical Center.
The OCR recently completed an investigation into St. Joseph’s Medical Center, a New York-based facility, regarding claims of an impermissible disclosure.
According to the allegations, the medical center agreed to be part of a 2020 article published by the Associated Press about the academic facility’s response to the COVID-19 pandemic. St. Joseph’s agreed to include photographs of 3 patients alongside their diagnoses, current medical statuses, and treatment plans.
The photos and information were included without the patient’s written consent, which could be considered a violation under the HIPAA Privacy Rule. According to the HHS, the article was distributed nationally.
In the settlement agreement, St. Joseph has agreed to pay the OCR a penalty of $80,000. Alongside the fine, the facility will implement a corrective action plan to ensure they have HIPAA-compliant written policies and procedures. The new policies and procedures must be provided to the OCR within 90 days.
The OCR will then have 60 days to approve the new procedures. After approval, the medical center will train employees on the updated policies and procedures. The OCR will continue to monitor St. Joseph for two years to ensure they are HIPAA-compliant.
According to the HHS, for St. Joseph’s to have permissibly shared the patient information with the Associated Press, they would have needed written authorization. This rule applies to both print and television.
In most cases, a HIPAA-covered entity may only disclose protected health information if the HIPAA Privacy Rule permits or requires the disclosure or if the individual (or their representative) authorizes it in writing.
According to the HHS’s media guide, health providers should not allow media personnel into areas where patients’ protected health information is available without written consent. Furthermore, it is insufficient to mask identities through digital techniques like pixelation or voice alteration.
HHS published a press release regarding the settlement. “When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said Melanie Fontes Rainer, Director of the OCR.
“Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first,” Fontes Rainer added.
The incident at St. Joseph’s Medical Center is a reminder that patient privacy must always be at the forefront. Medical centers must be mindful of their HIPAA obligations, even when discussing breaking news or engaging in timely discussions.
New York has faced many cybersecurity issues in the health sector outside of impermissible disclosures. The government is now proposing new security regulations to prevent cyberattacks.
Related: HIPAA Compliant Email: The Definitive Guide.