A non-profit academic medical center in New York has reached a settlement with the government for an alleged violation of the Health Insurance Portability and Accountability Act (HIPAA). The agreement was reached between Saint Joseph’s Medical Center and the U.S. Department of Health and Human Services after an investigation into a breach of patient confidentiality.

Setting the context of the violation, we look at how it was first brought to light. According to a press release, Saint Joseph’s Medical Center reached an agreement with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) that involved releasing a patients COVID-19 information to a national media outlet.

Melanie Fontes Rainer, OCR Director, emphasizes on upholding patient privacy in her statement. "When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization," said OCR Director Melanie Fontes Rainer. "Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that put patient privacy first."

Digging into legal provisions, it becomes clear what constitutes such violations. According to information provided by the HHS, a patient’s, or the individual’s personal representative's, medical information can only be revealed if it’s authorized in writing.

The gravity of Saint Joseph's violation is illustrated through an incident that was reported by Associated Press. An OCR investigation into the medical center began after Associated Press wrote an article detailing the center's response to COVID-19, according to the media release. Among the sensitive nature that violated the HIPAA law were photographs and information regarding patients being treated at the center that included COVID-19 status, vital signs, and treatment procedures.

The investigation found specific instances of violation at Saint Joseph's Medical Center. OCR stated that the medical information of three patients was disclosed by Saint Joseph’s Medical Center without the facility obtaining approval from the patients in question, according to the media release.

The settlement agreement outlines various remedial measures for preventing future HIPAA violations. The $80,000 settlement stipulates that Saint Joseph’s Medical Center cultivate measures that would prevent further HIPAA violations, according to the press release. The agreement also mentions that Saint Joseph’s Medical Center will provide training to employees on new policies and procedures. The settlement also allows OCR to oversee St. Joseph’s Medical Center for two years to guarantee compliance under the arrangement and with the law.