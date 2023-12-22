On November 20, 2023, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Saint Joseph's Medical Center for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. "The settlement involved the impermissible disclosure of COVID-19 patients' protected health information to a national media outlet."1

The OCR determined that Saint Joseph's Medical Center disclosed three patients' protected health information to the Associated Press without first obtaining written authorization from the patients, therefore potentially violating the HIPAA Privacy Rule. The OCR went on to state "regulated entities cannot disclose a patient's protected health information to the media without first obtaining written authorization from the patient permitting the entity to do so. This includes when health care providers have print or television reporters on the premise."2

The OCR and Saint Joseph's settled for $80,000 and agreed on a corrective action plan requiring the implementation of written policies and procedures. Additionally, Saint Joseph's agreed to train its workforce on the revised policies and procedures.

The key takeaways from this settlement announcement are the following: 1) consistently review and update policies and procedures to adapt to change operations and practices in your institution; 2) review your Notice of Privacy Practices for alignment with patients' rights and uses and disclosures; 3) provide yearly training to your staff on basic practices and educate them on changes to policies and procedures and regulations, and 4) review your written authorization templates to validate that PHI publications are covered as part of the authorized disclosures.

Find here the publication issued by OCR:

