Report on Patient Privacy 23, no. 12 (December, 2023)
Spring 2020 was a terrifying period in the annals of COVID-19, and New York was at the epicenter. COVID-19 cases, and deaths, already the highest in the nation, were surging; there were no specific treatments and vaccines were but a distant dream. Although people branded health care workers heroes, banging pots and pans nightly to honor them, with no visitors allowed, most had no real knowledge of medical personnel’s desperate—and often futile—fight to save patients.
That changed in April of that year when St. Joseph’s Medical Center (SJMC) in Yonkers—which borders the Bronx and is two miles north of Manhattan—invited Associated Press (AP) photographer John Minchillo into the hospital’s emergency room, intensive care unit and triage and testing tent set up outside.
His 21 photos, which are still online, captured exhausted medical staff, their faces lined from heavy, hot masks and other protective gear; a clutch of doctors and nurses resuscitating a shirtless man; a patient encircled by ventilator tubing. Only staff were identified by name.[1]
The accompanying story by Brian Mahoney—who told RPP that Minchillo was on site, but that he was not—was fairly short at a little more than 800 words. But Mahoney had done his reporting: although no specific patients were discussed or identified, the story quoted six administration and medical leaders, including Chief Financial Officer Frank Hagan, who complained at the time about price gouging of masks, gowns and protective shields.
More than three years later, Hagan’s name would be published on the HHS Office for Civil Rights (OCR) website as the person responsible for implementing a two-year corrective action plan (CAP) that accompanies an $80,000 payment the medical center agreed to make.
SJMC’s (alleged) offense: allowing an unidentified reporter to observe a trio of patients receiving treatment for COVID-19. “The evidence supports that SJMC allowed the reporter access to the patients and their clinical information. The disclosures were not made pursuant to a permissible purpose under or as required by the Privacy Rule and were made without first obtaining valid authorizations from the affected individuals,” according to the settlement agreement.[2]
The story appeared April 20, 2020. On April 28, 2020, “HHS notified SJMC of HHS’ investigation regarding SJMC’s compliance with the Privacy Rule based on information contained in the AP article,” according to the settlement documents.
On May 5, 2020, OCR issued what it called “additional guidance reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ protected health information (PHI) will be accessible without the patients’ prior authorization.”[3] The agency made no mention of the AP story, but the timing suggests it might have triggered it.
SJMC Did Not Admit to Violating HIPAA
This guidance “explains that even during the current COVID-19 public health emergency, covered health care providers are still required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI,” OCR said. “The guidance clarifies that masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient, as a valid HIPAA authorization is still required before giving the media such access. Additionally, the guidance describes reasonable safeguards that should be used to protect the privacy of patients whenever the media is granted access to facilities.”
In its Nov. 20 announcement of the agreement with SJMC, OCR said the “images were distributed nationally, exposing protected health information including patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans.”[4] OCR said the PHI was shared by SJMC “without first obtaining written authorization from the patients, therefore potentially violating the HIPAA Privacy Rule.”
SJMC did not admit to wrongdoing as part of the settlement, which appears to have been finalized in August. Neither Hagan nor other SJMC representatives responded to RPP’s repeated requests for comment, nor did Minchillo. In a brief email exchange, Mahoney told RPP he “wasn’t involved very much in the project and not at all in any of the discussions with the hospital” and did not know whether prior authorization had been obtained.
Prior Authorization Requirement Based on Guidance
Although this appears to be the first COVID-19-related enforcement action by OCR, it mirrors several others in which the agency has claimed PHI was impermissibly shared with the media because signed authorizations weren’t obtained in advance. OCR has taken the position that this is a requirement even though it isn’t found in the HIPAA law or Privacy Rule (neither mention news media).
In April 2016, OCR announced a $2.2 million settlement with New York-Presbyterian Hospital over the “unauthorized” filming of a reality TV series and issued an accompanying FAQ on “media access to PHI.”
OCR issued guidance accompanying this settlement in which it stated, for the first time, that organizations had to obtain prior written authorization from “each individual who is or will be in the area or whose PHI otherwise will be accessible to the news media.”
In 2018, OCR announced settlements with three Boston-based hospitals for a total of $999,000 for allegedly “compromising the privacy of patients’ [PHI] by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients.”[5]
As with the media-related settlements, OCR again linked to its previous guidance on media access to locations where PHI might be accessible.
Media Must Be ‘Actively Monitored’
The CAP does not contain many requirements, compared to more common ones, and focuses mainly on SJMC’s policies for the news media. But it is detailed enough that it can serve as a template for covered entities to compare against their own medical access policies.
For example, the policy should include a “specific prohibition on the use or disclosure of (PHI) by SJMC workforce members, agents, and business associates to any person or entity planning, coordinating, or engaging in photography, video recording, or audio recording without the prior, written, authorization of the patient who is the subject of the PHI sought to be disclosed, or of the personal representative of said patient.”
SJMC must also adopt a “process for evaluating and approving authorizations requesting the use or disclosure of PHI by SJMC before allowing third parties to have access to patients’ PHI and treatment areas or other areas of SJMC where PHI will be accessible in written, electronic, oral, or other visual or audio form.”
Additionally, the CAP calls for SJMC to require that a “workforce member actively monitor all photography, video recording, and audio recording conducted on SJMC premises by a third party including for purposes not related to medical treatment or health care operations in compliance with the Privacy Rule.”
1 Brian Mahoney and John Minchillo, “AP Exclusive: ‘It’s been a nightmare’ for Yonkers ER doc,” Associated Press, April 22, 2020, https://bit.ly/47Ha0EX.
2 U.S. Department of Health and Human Services, “St. Joseph’s Medical Center Resolution Agreement and Corrective Action Plan,” content last reviewed November 20, 2023, https://bit.ly/46JlUgc.
3 U.S. Department of Health and Human Services, “OCR Issues Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities,” news release, May 5, 2020, https://bit.ly/47T00bG.
4 U.S. Department of Health and Human Services, “HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter,” news release, November 20, 2023, https://bit.ly/3GsHDhR.
5 Theresa Defino, “In 2nd Such Action, OCR Slaps Three Boston Hospitals for Roles in Medical Trauma Series,” Report on Patient Privacy 18, no. 10 (October 2018), https://bit.ly/3uIDZhj.
[View source.]