The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has reached a settlement with Saint Joseph’s Medical Center located in Yonkers, New York. This settlement is in response to a violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The breach involved the unauthorized release of early COVID-19 patients’ protected health information (PHI) to a national media outlet. The OCR’s investigation into Saint Joseph’s Medical Center began after an article by the Associated Press, published on April 28, 2020, included photographs and detailed information about the facility’s patients. This exposure of sensitive patient information, including COVID-19 diagnoses, medical statuses, prognoses, vital signs, and treatment plans, constituted a clear violation of national patient-privacy-protection laws.
The settlement shows the importance of adhering to patient privacy laws, especially during public health emergencies like the COVID-19 pandemic. OCR Director Melanie Fontes Rainer emphasized that patients should not have to worry about their health information being disclosed to the media without their authorization. The HIPAA Privacy Rule strictly prohibits regulated entities, including healthcare providers, from disclosing PHI to the media without first obtaining written authorization from the patient. This rule applies irrespective of the presence of print or television reporters on healthcare premises. Saint Joseph’s Medical Center failed to adhere to these privacy standards, leading to the unauthorized dissemination of patient information.
As part of the settlement, Saint Joseph’s Medical Center is required to pay $80,000 to the OCR and implement a comprehensive corrective action plan. This plan outlines the development of written policies and procedures that comply with the HIPAA Privacy Rule. The medical center has agreed to conduct extensive training for its workforce on these revised policies and procedures. The OCR will monitor the implementation of these measures at Saint Joseph’s Medical Center for two years, ensuring that the facility adheres to the stipulated privacy standards and the corrective action plan.
OCR settlements with healthcare providers and other entities can result in significant financial penalties for breaches of PHI and violations of patient rights. The healthcare industry has seen a notable rise in penalization for HIPAA violations, in part due to escalating cybersecurity threats and the quick development of patient information management. Criminal charges can also be imposed for intentional HIPAA violations, including unauthorized access to electronic health records or sharing patient information without consent.