A Yonkers hospital to pay $80K for leaking COVID-19 patient data
The U.S. Department of Health and Human Services Office for Civil Rights announced it has reached a settlement with Saint Joseph’s Medical Center in Yonkers, New York, in connection with a charge of unlawful disclosure of protected health information of early COVID-19 patients to a national media outlet on April 20, 2020.
WHY IT MATTERS
According to a statement Monday, HHS said it had begun investigating the hospital for a possible violation of the Health Insurance Portability and Accountability Act of 1996 Privacy Rule regarding the inclusion of the protected health information of three COVID-19 patients in Associated Press news .
In the resolution agreement, HHS said OCR began investigating Saint Joseph’s Medical Center “after the Associated Press published an article on April 28 about the medical center’s response to the COVID-19 public health emergency, including photos and information about the facility’s patients.” 2020.
OCR said the sharing of the patient images and information, which were distributed nationally through the news, violated state patient privacy protection laws. The PHI uncovered included patients’ COVID-19 diagnoses, current medical status and medical prognoses, vital signs and their treatment plans, the news release said.
“When receiving medical care in hospitals and emergency rooms, patients do not have to worry about healthcare providers disclosing their health information to the media without their consent,” OCR Director Melanie Fontes Rainer said in the statement.
Regulated entities cannot disclose PHI to the media – pandemic or not – without first obtaining written consent from the patient, whereby the entity has given permission to do so.
“This includes if health care providers have print or television reporters on site,” HHS noted.
Saint Joseph’s Medical Center must pay $80,000 to OCR and implement a corrective action plan, requiring the facility to “develop written policies and procedures that comply with the HIPAA Privacy Rule.”
The medical center also agreed to train its staff on the revised policies and procedures under the agreement with the federal agency. OCR said it would monitor St. Joseph’s for two years to ensure compliance.
THE BIG TREND
OCR settlements with healthcare providers, healthcare technology vendors and others could cost a healthcare system millions of dollars over PHI violations and for right-of-access investigations that began in 2019.
In 2020, OCR fined CHSPSC, a Tennessee-based management company that provides IT and services to providers indirectly owned by Community Health Systems, $2.3 million for a 2014 cyber breach. For four months, cybercriminals stole the PHI of exfiltrated more than six million people in 237 covered entities in the publicly traded healthcare system from CHSPSC’s servers.
The healthcare system’s culpability for HIPAA violations has increased significantly along with increasing cybersecurity threats since the law was signed into law in 1996 and more recently with information blocking requirements under the 20th Century Cures Act.
Exceptions to information blocking are being finalized by HHS, but legal experts say they require special attention from health care providers, adding to the administrative burden in the health care system.
In addition to civil penalties, criminal penalties may also be imposed for intentional violations of HIPAA – for example, when employees snoop on electronic health records or when they share patient information with the media during the height of pandemic hysteria. Only certain disclosures without patient consent are allowed for public health purposes under the OCR guidance issued in December 2020, such as sharing COVID-19 diagnoses with health information exchanges.
ON THE RECORD
“Providers must be vigilant about patient privacy and take the necessary steps to protect it and follow the law,” Fontes Rainer said in a statement.
“The Office for Civil Rights will continue to take enforcement actions with patient privacy as a priority.”
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.