On November 20, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a settlement with a New York medical center for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The settlement involved the impermissible disclosure of COVID-19 patients’ protected health information (PHI) to a national media outlet.
OCR investigated the medical center after the Associated Press published an article about its response to the COVID-19 public health emergency, which included photographs and information about the facility’s patients. These images were distributed nationally, exposing PHI which included patients’ COVID-19 diagnoses, current medical statuses and prognoses, vital signs, and treatment plans.
OCR determined that the medical center disclosed three patients’ PHI to the Associated Press without first obtaining written authorization from the patients, therefore potentially violating the HIPAA Privacy Rule.
The medical Center paid $80,000 to OCR and agreed to implement a corrective action plan requiring the facility to develop written policies and procedures that comply with the HIPAA Privacy Rule. It also agreed to train its workforce on the revised policies and procedures. Under this agreement, OCR will monitor the medical center for two years to ensure compliance under the plan and with the law.
“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”
OCR’s guidance on media access to PHI serves as a resource to providers and patients. The guidance clarifies the circumstances in which PHI can or cannot be disclosed to the media. You can view the guidance here.
Compliance Perspective
Issue
Under the HIPAA Privacy Rule, a covered entity (including a healthcare provider), may not use or disclose PHI, except either:
- As the HIPAA Privacy Rule permits or requires; or
- The individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Therefore, regulated entities cannot disclose a patient’s PHI to the media without first obtaining written authorization from the patient permitting the entity to do so. This includes when healthcare providers have print or television reporters on the premise.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and the Privacy Rule. Ensure that they address not disclosing residents’ PHI to the media without the residents’ signed consent.
- Train all staff on HIPAA, PHI, and the Privacy Rule upon hire and annually. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and the Privacy Rule are being followed by all staff, and that each person demonstrates understanding and competency.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
