The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

St. Joseph’s Medical Center Pays $80,000 HIPAA Fine for PHI Disclosure to a Reporter

Posted By on Nov 20, 2023

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 11th HIPAA penalty of 2023. St. Joseph’s Medical Center, a non-profit academic medical center in New York, was investigated over the disclosure of patients’ protected health information (PHI) to a reporter and has paid a $80,000 financial penalty to resolve the alleged HIPAA violations.

The Privacy Rule of the Health Insurance Portability and Accountability Act permits disclosures of PHI for the purpose of treatment, payment, and healthcare operations but other disclosures of PHI are generally prohibited unless authorization is obtained from a patient. OCR launched an investigation of St. Joseph’s Medical Center on April 20, 2020, pursuant to the publication of an article in the media by a reporter from the Associated Press (AP). Based on the information in the article it appeared that the reporter had been allowed to observe three patients who were being treated for COVID-19.

The article included information about the medical center’s response to the COVID-19 public health emergency and photographs and information about the facility’s patients. The images were distributed nationally, exposing PHI such as patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans. OCR’s investigation found evidence to suggest that St. Joseph’s Medical Center had allowed the reporter access to the patients and their clinical information. St. Joseph’s Medical Center had not obtained consent and valid HIPAA authorizations from the patients and the disclosure of PHI was not permitted by the HIPAA Privacy Rule.

St. Joseph’s Medical Center chose to settle the alleged HIPAA violation with OCR with no admission of liability and agreed to adopt a corrective action plan (CAP). The CAP requires St. Joseph’s Medical Center to review and, to the extent necessary, develop, maintain, and revise its written privacy policies and procedures to ensure they are compliant with the HIPAA Privacy Rule, provide those policies and procedures to OCR for review, distribute the updated policies and procedures to members of the workforce, and obtain a signed written or electronic compliance certification from all members of the workforce confirming they have read and understood the new policies and procedures.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

In addition to the above, St. Joseph’s must provide refresher HIPAA training to all members of the workforce – including “leadership” – within sixty days and to new hires within thirty days. Further refresher training must be provided annually, or more frequently depending on subsequent changes to policies and procedures, revised OCR guidance, regulatory changes, or threats to the privacy and security of PHI being identified in risk assessments. St. Joseph’s Medical Center will be monitored by OCR for compliance for 2 years.

“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

Disclosures of PHI in Response to Media Enquires

When it comes to disclosures of PHI in response to media inquiries, 45 CFR § 164.510(a) of the HIPAA Privacy Rule permits notifications to individuals who inquire about a patient or the patient’s general condition and location in the facility.

In such cases, disclosure of PHI is permitted if it is consistent with the patient’s wishes and the patient is asked for by name. All that can be disclosed is “facility directory information.” The patient’s name may be disclosed along with the individual’s location within the facility, provided the location does not disclose information about the patient’s treatment, e.g., labor & delivery, and their condition in general terms. i.e., stable, fair, or critical. All other disclosures of PHI can only be made if a HIPAA-compliant authorization is obtained from the patient in advance.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist