Hospital Pays Fine for Disclosing Patient PHI to Reporter

A media report during the early days of the COVID-19 pandemic that exposed the personal information of three New York patients has resulted in an $80,000 federal fine against a New York medical center, according to a Department of Health and Human Services settlement released on Monday.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

DHS’ Office for Civil Rights in a statement Monday said St. Joseph Medical Center, a 194-bed hospital in Yonkers, New York, will pay the monetary fine and implement a corrective action plan with two years of HHS OCR monitoring under the HIPAA resolution agreement.

The settlement comes in the wake of HHS OCR’s investigation of a 2020 incident involving an Associated Press reporter who published an article about the medical center’s response to the COVID-19 public health emergency during the pandemic. The piece included photographs and information about the facility’s patients.

“The images were distributed nationally, exposing protected health information including patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans,” HHS OCR said in a statement.

“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” OCR Director Melanie Fontes Rainer said in the statement.

HHS OCR’s settlement with St. Joseph says the agency’s investigation found that on April 20, 2020, the medical center impermissibly allowed the AP reporter to observe three patients who were being treated for COVID-19.

“The evidence supports that St. Joseph Medical Center allowed the reporter access to the patients and their clinical information,” HHS OCR said. The disclosures were made without first obtaining valid authorizations from the affected individuals, as required under HIPAA. On April 28, 2020, HHS notified the medical center of HHS’ HIPAA investigation based on information contained in the AP article.

Corrective Action Plan

As part of the corrective action plan, St. Joseph Medical Center has agreed to review and as necessary revise its written HIPAA privacy policies and procedures, distribute them to its workforce and provide training related to the material.

The hospital’s revised HIPAA privacy policy and procedures, among other provisions, must include a prohibition on disclosures of protected health information by St. Joseph Medical Center workforce members, agents and business associates to any entity or person engaging in photography, video recording or audio recording without the prior written authorization of the patient.

St. Joseph Medical Center did not immediately respond to Information Security Media Group’s request for comment on the settlement.

The settlement with the medical center is at least the second HIPAA enforcement action by the agency in a case involving impermissible disclosure of patient PHI to a media entity.

In 2016, New York Presbyterian Hospital paid a $2.2 million HIPAA penalty and agreed to implement a comprehensive corrective action plan following the disclosure of two patients’ PHI during the 2013 filming of a television documentary series, “NY Med” (see: NY Presbyterian Hospital Slapped With Second HIPAA Fine).

The settlement with St. Joseph Medical Center is HHS OCR’s 10th HIPAA enforcement action announced so far this year.

The largest HIPAA penalty by HHS OCR so far in 2023 was a $240,000 settlement announced in June with Yakima Valley Memorial Hospital in Washington state in a breach reported in 2018 involving 23 security guards who snooped on the records of 419 patients (see: Hospital Fined $240K for Records-Snooping Breach by Guards).