With respect to enforcement, the Department of Health and Human Services, Office for Civil Rights (OCR) announced two Settlement Agreements to resolve allegations of HIPAA violations between May and October of 2017. Neither settlement resulted from large breaches but instead focused on discrete incidents involving impermissible disclosures of PHI. These Settlement Agreements demonstrate that OCR will take into account aggravating factors including the egregious nature of the disclosure, extent of the harm caused to the affected individual(s), and lack of institutional safeguards protecting the information.
On May 23, 2017, OCR publicized that St. Luke’s Roosevelt Hospital Center Inc. (St. Luke’s) entered into a Resolution Agreement and Corrective Action Plan to resolve impermissible disclosures of two patients’ PHI. St. Luke’s operates the Institute for Advanced Medicine, formerly the Spencer Cox Center for Health (Spencer Cox Center), which specializes in the treatment of HIV positive and AIDS patients. OCR received a complaint that a Spencer Cox Center employee accidentally faxed an HIV positive patient’s PHI to the patient’s employer. During the course of the complaint investigation, OCR discovered that the Spencer Cox Center also impermissibly released similar sensitive health information in a different incident nine months prior but had failed to address vulnerabilities in its compliance program. Given the sensitivity of information involved, including the patients’ HIV status, sexual orientation, and mental health diagnoses, the disclosures were noted to be especially “egregious.” St. Luke’s agreed to pay $387,200 to resolve the allegations, and the Corrective Action Plan requires St. Luke’s reevaluate its staff training materials related to HIPAA. When announcing the settlement, OCR Director Roger Severino noted that “[i]n exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements” and reminded both covered entities and business associates that they have the responsibility under HIPAA to both identify and actually implement safeguards to protect sensitive data.
On May 10, 2017, OCR announced a $2.4 million Resolution Agreement in connection with a hospital press release that impermissibly identified a patient by name. The patient presented an allegedly fraudulent identification card to Memorial Hermann Health System’s (Memorial) office staff, which resulted in the patient’s arrest. Thereafter, Memorial issued a press release disclosing the patient’s name to multiple media outlets. In addition to the monetary settlement, Memorial agreed to adopt a comprehensive Corrective Action Plan requiring it to update its policies and procedures on safeguarding PHI from impermissible disclosures, including releases to the media. Although HIPAA permits organizations to disclose PHI to law enforcement, the law enforcement exceptions do not extend to public disclosure of PHI, even when criminal activity occurs.
On October 27, 2017, OCR responded to President Trump’s call to action to combat the nation’s opioid crisis by issuing clarifying guidance regarding the release of information in medical emergencies, such as during an opioid overdose, without violating the HIPAA Privacy Rule. HIPAA allows health care professionals to disclose some health information without a patient’s authorization under certain circumstances, including sharing health information with family and close friends if the provider determines that doing so is in the best interests of an incapacitated or unconscious patient and the information is directly related to the family or friend’s involvement in the patient’s health care or payment of care. For example, the guidance states that a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge. Furthermore, OCR takes the position that decision-making incapacity may be temporary and situational and does not have to rise to the level where another decision-maker has been or will be appointed by law. The guidance also notes that HIPAA allows health care providers to disclose information to persons who are in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety. Importantly, a health care provider is not permitted to share health information about patients with the capacity to make their own health care decisions (and who object to the provider sharing the information) unless there is a serious and imminent threat of harm to the patient’s health.