HIPAA COVID News Violation

On November 20, 2023, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with Saint Joseph’s Medical Center. Saint Joseph’s Medical Center agreed to pay $80,000 to resolve an incident that stemmed from the healthcare provider disclosing patient information to a news outlet.

St. Joseph’s Exposes Patient Information to a News Reporter

During the height of the COVID-19 pandemic, Saint Joseph’s Medical Center was the subject of an Associated Press article discussing the medical center’s response to the public health crisis. The article in question provided information about patients, including photographs taken on site. The images exposed protected health information (PHI), such as patients’ COVID-19 diagnoses, current medical statuses and prognoses, vital signs, and treatment plans.

Upon learning of the potential HIPAA Privacy Rule violation, OCR launched an investigation into the incident. The investigation determined that Saint Joseph’s Medical Center disclosed the PHI of three patients to the Associated Press without obtaining written authorization first.

As a result, the medical center agreed to pay the OCR $80,000 and implement a corrective action plan. Under the corrective action plan, the medical center must amend its policies and procedures, and retrain its workforce on the new guidelines.

In a press release discussing the settlement, OCR Director Melanie Fontes Rainer stated, “When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization. Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

Authorized Use and Disclosure of PHI

Under the HIPAA Privacy Rule, PHI may only be disclosed for treatment, payment, or healthcare operations without obtaining patient consent. Before a healthcare provider may disclose PHI for another purpose, they must receive explicit written authorization from patients to do so. 

This incident is not the first time a healthcare organization has come under fire for allowing the media to document patients without consent. Providers must be cognizant of when patient authorization is required to prevent a similar incident from occurring in their organization.