By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Maintaining and protecting privacy for patients and healthcare information is important and necessary at all times. The requirement for keeping privacy applies no matter the circumstances, which can mean in the middle of a pandemic. The most recent HIPAA settlement announced by the Office for Civil Rights provides that reminder.
The Factual Background
What happened? That’s a good question to ask. The recent settlement involved St. Joseph’s Medical Center (St. Joseph’s) and interactions with the Associated Press. As laid out by OCR in the Resolution Agreement, St. Joseph’s allowed an AP reporter into one of its facilities on April 20, 2020. In case memories have become hazy since that time, that date was a month into the COVID pandemic. In allowing the reporter into its facility, St. Joseph’s also allowed the reporter to observe three patients being treated for COVID. While that in and of itself was problematic, OCR also determined that St. Joseph’s allowed the reporter to review clinical information about each of the three patients.
The details were fleshed out a bit more in OCR’s press release about that settlement. The press release stated that the observation of the patients included photographs of the patients and treatment areas, which images were distributed nationally by the AP. OCR felt that the information included in the article revealed not just the COVID diagnosis, but also current status and prognosis for each patient along with vital signs and treatment plans. The implication is that a significant amount of information was published.
On top of all of that information about questionable conduct was St. Joseph’s overlooking authorization from the patients for the disclosure of their information. A written authorization can cure many of the disclosure problems. In fact, the lack of a written authorization was identified as the sole violation, which is a bit of a departure from the standard practice of listing a number of different examples of non-compliance.
All of the conduct resulted in a fine of $80,000.
The Lessons
As should always be the case, a settlement published by OCR should be a spur to examine each entity’s own practices. Before getting to those lessons, the issue of disclosing patient information to the media is not a new basis for a HIPAA settlement. While the settlement with St. Joseph’s did not arise from a television show, there are some parallels with prior settlements where a reality show was the basis for the HIPAA violation. In all of those cases, advance written authorization was not obtained from patients before disclosing their information. Additionally, the disclosures to different forms of media caused patient information to be widely disseminated and constituted a pretty large breakdown of privacy.
There was also another previous settlement with a physician practice that arose from the practice contacting a reporter to discuss a complaint raised by a patient. That settlement arguably involved more egregious conduct since the practice affirmatively reached out to the reporter to counter statements and positions being advanced by the patient.
In all of the cases, the fundamental problem is revealing patient information to outlets that will clearly spread the private information to broader audiences. Given part of the focus on authorizations, one primary step to be taken would be approaching patients before getting involved in any situation with a media company that could result in patient information being viewed or patients being included in reports or images. As suggested above, a written authorization from a patient can help cure or overcome a number of issues. Giving information to patients and being transparent does cure a lot of ills.
If an authorization will be pursued, then an organization should review what elements need to be included in an authorization. It is not enough to just ask a patient to authorize any use. The Privacy Rule lays out what needs to be included for an authorization to be valid. Some of the core elements are who the information will be disclosed to, an expiration date for the length of the disclosure, the ability to revoke the authorization. Those are just a sample of the required elements, which means it is essential to review the specific language of the Privacy Rule. The bottom line though is that freely interacting with the media in a way that reveals patient information is going to create an unnecessary headache.
Future Interactions
The various settlements and the requirements of the Privacy Rule don’t mean that it is impossible for a healthcare organization to interact with the media. Instead, any interaction should be well thought out, which means what will be disclosed and what backup is needed to enable that interaction. For example, there have been some very successful campaigns by hospitals that detail patient stories or show a journey, but the key is interacting with the patients and being transparent. Transparency, honesty, and dialogue should inform the approach. Will that happen or will organizations continue to be caught up in the moment and then be forced to face the consequences later?
This article was originally published on The Pulse blog and is republished here with permission.