Today, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Saint Joseph’s Medical Center for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Saint Joseph’s Medical Center is a non-profit academic medical center in New York that provides a full range of healthcare services. The settlement involved the impermissible disclosure of COVID-19 patients’ protected health information to a national media outlet. OCR investigated Saint Joseph’s Medical Center after the Associated Press published an article about the medical center’s response to the COVID-19 public health emergency, which included photographs and information about the facility’s patients. These images were distributed nationally, exposing protected health information including patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans. OCR determined that Saint Joseph’s Medical Center disclosed three patients’ protected health information to the Associated Press without first obtaining written authorization from the patients, therefore potentially violating the HIPAA Privacy Rule.
