St. Joseph’s Medical Center provided national media access to
Protected health information of patients with COVID-19
Today, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Saint Joseph Medical Center for potential violations of the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Saint Joseph’s Medical Center is a not-for-profit academic medical center in New York City that provides a full range of health care services. The settlement involved the impermissible disclosure of protected health information of COVID-19 patients to national media.
“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may release their health information to the media without their permission,” said OCR Director Melanie Fontes Reiner. “Providers must be vigilant about patient privacy and take the necessary steps to protect it and comply with the law. The Office for Civil Rights will continue to take enforcement actions that put patient privacy first.”
OCR is investigating St. Joseph’s Medical Center after the Associated Press published an article about the medical center’s response to the COVID-19 public health emergency that included photos and information about the facility’s patients. These images were distributed nationally, revealing protected health information, including patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans.
OCR found that Saint Joseph Medical Center disclosed the protected health information of three patients to the Associated Press without first obtaining written permission from the patients, potentially violating the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, a covered entity (including a health care provider) may not use or disclose protected health information except:
- As the HIPAA Privacy Rule allows or requires; or
- The natural person who is the subject of the information (or his personal representative) authorizes in writing.
Therefore, regulated entities may not disclose a patient’s protected health information to the media without first obtaining written authorization from the patient authorizing the entity to do so. This includes when health care providers have print or television reporters on the premises.
Saint Joseph’s Medical Center paid $80,000 to OCR and agreed to implement a corrective action plan requiring the facility to develop written policies and procedures that comply with the HIPAA Privacy Rule. St. Joseph’s Medical Center also agreed to train its workforce on the revised policies and procedures. Under this agreement, OCR will monitor St. Joseph’s Medical Center for two years to ensure compliance with the plan and the law.
The Restructuring Agreement and Remedial Action Plan can be found at:
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjmc-ra-cap/index.html
- OCR’s Guidelines on Media Access to Protected Health Information serve as a resource for providers and patients. The guidance clarifies the circumstances under which protected health information may or may not be disclosed to the media. You can view the guide here: https://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html
- OCR is committed to enforcing the privacy and security of individuals’ health information that is protected by HIPAA. If you believe that the privacy or civil rights of your or another’s health information has been violated, you may file a complaint with OCR at: https://www.hhs.gov/ocr/complaints/index.html