St. Joseph’s Medical Center Fined $80,000 For Allowing Reporter to Access Patients’ PHI
St. Joseph’s Medical Center in New York has chosen to settle allegations it violated the HIPAA Privacy Rule and has agreed to pay a $80,000 financial penalty and adopt a corrective action plan to address the aspects of non-compliance discovered by OCR during its investigation.
On April 20, 2020, OCR launched an investigation following the publication of an Associated Press (AP) article about how the medical center was responding to the COVID-19 pandemic. The article, which included images, revealed information about the medical center’s response but also patient information, including patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans.
The article, which was distributed nationally, suggested St. Joseph’s Medical Center had provided an AP reporter with access to three patients and their clinical information. OCR investigated to determine whether the patients concerned had provided authorization for their information to be disclosed to the reporter. OCR determined that St. Joseph’s Medical Center had provided the AP reporter with access to the patients and their PHI but had not obtained a HIPAA-compliant authorization from the patients. Since HIPAA does not permit the disclosure of protected health information to the media and the patients had not authorized the disclosures, the medical center was found to have violated the HIPAA Privacy Rule.
All Workforce Members to Undergo Refresher HIPAA Training
St. Joseph’s Medical Center settled the alleged violations and paid the financial penalty with no admission of liability or wrongdoing. The corrective action plan requires the medical center to review and update its HIPAA policies and procedures, distribute the new policies and procedures to the workforce, and obtain written or electronic compliance certification from each member of the workforce confirming the updated policies and procedures have been received.
In addition to updating and distributing its HIPAA policies, all members of the workforce will have to be provided with refresher HIPAA training to reinforce their knowledge of the Privacy Rule and what uses and disclosures of PHI are required and permissible. The refresher training must be provided with sixty days of OCR approving the medical center’s updated policies and procedures and repeated at least annually during the term of the corrective action plan. OCR will monitor the medical center to ensure continued compliance with the HIPAA Rules for a minimum of 2 years.
“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”
This is the 11th HIPAA penalty to be imposed by OCR to resolve HIPAA violations so far this year. Across those 11 enforcement actions, $3,536,500 in penalties has been paid.