OCR Settles HIPAA Investigation Regarding Potential Disclosure of Protected Health Information to Media Outlet

Lindsay Greenblatt
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On November 20, 2023, HHS Office for Civil Rights (OCR) announced a settlement with Saint Joseph’s Medical Center for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule relating to allegations of disclosure of protected health information (PHI) to a media outlet. OCR advises providers to be vigilant about patient privacy and to take necessary steps to protect it.

The Associated Press published an article about Saint Joseph’s Medical Center’s response to COVID-19, which contained photographs and information including COVID-19 diagnoses, medical statutes, vital signs, and treatment plans of the facility’s patients. In response to the article, OCR investigated Saint Joseph’s Medical Center and determined that three patients’ PHI was disclosed without prior written authorization. Saint Joseph’s Medical Center and OCR agreed to a settlement that included payment of $80,000 and implementation of a corrective action plan. OCR will monitor Saint Joseph’s Medical Center for two years to ensure compliance with the corrective action plan and the HIPAA Privacy Rule.

OCR provides guidance to providers regarding media access to PHI and the limited circumstances in which providers can disclose PHI to the media without prior authorization. Generally, the HIPAA Privacy Rule does not permit a health care provider to disclose PHI to the media without first obtaining a HIPAA-compliant authorization signed by the patient or the patient’s personal representative. This includes allowing members of the media into treatment areas or other areas where PHI will be accessible. Providers must also ensure that reasonable safeguards are in place to protect against impermissible or accidental disclosures of PHI where an authorization has not been obtained.

There are very limited circumstances where a provider may disclose limited PHI to the media without obtaining prior HIPAA authorization. For example, a provider may have the media help identify an unidentified patient in its care by providing limited PHI if, in the hospital’s professional judgment, doing so is in the best interest of the patient. Providers are also not required to prevent the media from entering public areas of the facility, such as a public waiting area.

Finally, providers may use a film crew to produce training videos if certain protections are in place. Providers can inform the media of their treatment services and programs to better inform the public, so long as the provider does not share PHI with the media without prior authorization.

The resolution agreement and corrective action plan can be found here. OCR’s guidance for providers regarding media access to PHI can be found here.

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide