The U.S. Department of Health and Human Services Office for Civil Rights announced it has settled with the Saint Joseph’s Medical Center in Yonkers, New York, related to a charge of unlawful release of early COVID-19 patients’ protected health information to a national media outlet on April 20, 2020.
WHY IT MATTERS
According to a statement Monday, HHS said that it began investigating the hospital for a potential breach of the Health Insurance Portability and Accountability Act of 1996 Privacy Rule related to the inclusion of three COVID-19 patients’ protected health information in Associated Press news.
In the resolution agreement, HHS said OCR began investigating Saint Joseph’s Medical Center “after the Associated Press published an article about the medical center’s response to the COVID-19 public health emergency, which included photographs and information about the facility’s patients” on April 28, 2020.
OCR said sharing the patient images and information, distributed nationally through the news, violated national patient-privacy-protection law. The PHI exposed included patient COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs and their treatment plans, according to the press announcement.
“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer in the statement.
Regulated entities cannot disclose PHI to the media – pandemic or not – without first obtaining written authorization from the patient permitting the entity to do so.
“This includes when healthcare providers have print or television reporters on the premises,” HHS noted.
Saint Joseph’s Medical Center must pay $80,000 to OCR and implement a corrective action plan requiring the facility “to develop written policies and procedures that comply with the HIPAA Privacy Rule.”
The medical center also agreed to train its workforce on the revised policies and procedures under the agreement with the federal agency. OCR said it would monitor St. Joseph’s for two years to ensure its compliance.
THE LARGER TREND
OCR settlements with healthcare providers, healthcare technology vendors and others can cost a health system millions of dollars for breaches of PHI, and for right of access investigations, which began in 2019.
In 2020, OCR fined CHSPSC, a Tennessee-based management company that provides IT and services to providers that is indirectly owned by Community Health Systems, $2.3 million for a 2014 cyber breach. Over four months, cybercriminals exfiltrated the PHI of more than six million people across 237 covered entities in the publicly traded health system from CHSPSC’s servers.
Health system culpability for HIPAA violations has significantly increased along with growing cybersecurity threats since the law was signed in 1996 and more recently with information blocking requirements under the 20th Century Cures Act.
Exceptions to info blocking are being finalized by HHS, but they require special attention from providers, according to legal experts, which is adding to healthcare’s administrative burden.
Beyond monetary civil penalties, criminal penalties can also be imposed for intentional violations of HIPAA – such as when employees snoop on electronic health records or when they share patient information with media during the height of pandemic hysteria. Only certain disclosures without patient consent are authorized for public health purposes under the guidance OCR issued in December 2020, such as sharing COVID-19 diagnoses with health information exchanges.
ON THE RECORD
“Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law,” Fontes Rainer said in a statement.
“The Office for Civil Rights will continue to take enforcement actions that put patient privacy first.”
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
