The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 11th HIPAA penalty of 2023. St. Joseph’s Medical Center, a non-profit academic medical center in New York, was investigated over the disclosure of patients’ protected health information (PHI) to a reporter and has paid a $80,000 financial penalty to resolve the alleged HIPAA violations.

The Privacy Rule of the Health Insurance Portability and Accountability Act permits disclosures of PHI for the purpose of treatment, payment, and healthcare operations but other disclosures of PHI are generally prohibited unless authorization is obtained from a patient. OCR launched an investigation of St. Joseph’s Medical Center on April 20, 2020, pursuant to the publication of an article in the media by a reporter from the Associated Press (AP). Based on the information in the article it appeared that the reporter had been allowed to observe three patients who were being treated for COVID-19.

The article included information about the medical center’s response to the COVID-19 public health emergency and photographs and information about the facility’s patients. The images were distributed nationally, exposing PHI such as patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans. OCR’s investigation found evidence to suggest that St. Joseph’s Medical Center had allowed the reporter access to the patients and their clinical information. St. Joseph’s Medical Center had not obtained consent and valid HIPAA authorizations from the patients and the disclosure of PHI was not permitted by the HIPAA Privacy Rule.

St. Joseph’s Medical Center chose to settle the alleged HIPAA violation with OCR with no admission of liability and agreed to adopt a corrective action plan (CAP). The CAP requires St. Joseph’s Medical Center to review and, to the extent necessary, develop, maintain, and revise its written privacy policies and procedures to ensure they are compliant with the HIPAA Privacy Rule, provide those policies and procedures to OCR for review, distribute the updated policies and procedures to members of the workforce, and obtain a signed written or electronic compliance certification from all members of the workforce confirming they have read and understood the new policies and procedures. St. Joseph’s Medical Center will also be monitored by OCR for compliance for 2 years.

“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

Disclosures of PHI in Response to Media Enquires

When it comes to disclosures of PHI in response to media inquiries, 45 CFR § 164.510(a) of the HIPAA Privacy Rule permits notifications to individuals who inquire about a patient or the patient’s general condition and location in the facility.

In such cases, disclosure of PHI is permitted if it is consistent with the patient’s wishes and the patient is asked for by name. All that can be disclosed is “facility directory information.” The patient’s name may be disclosed along with the individual’s location within the facility, provided the location does not disclose information about the patient’s treatment, e.g., labor & delivery, and their condition in general terms. i.e., stable, fair, or critical. All other disclosures of PHI can only be made if a HIPAA-compliant authorization is obtained from the patient in advance.

The post St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter appeared first on HIPAA Journal.