- A recent Office of Civil Rights (OCR) HIPAA settlement agreement states a New York-based hospital must pay $2.2 million after it allowed unauthorized filming of patients, according a Department of Health and Human Services (HHS) press release.
In addition to the settlement fines, New York Presbyterian Hospital agreed to a substantive corrective action plan. As part of the plan, OCR will monitor the hospital for two years to ensure that it is complying with HIPAA Rules.
New York Presbyterian Hospital faced an OCR investigation after it allowed film crews and staff from ABC television to capture two patients on screen without acquiring appropriate authorization. The media crew was filming for the television series “NY Med.”
“In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop,” stated the HHS press release.
By allowing the media crew to film the patients, New York Presbyterian Hospital allegedly disclosed PHI, including images of patients, OCR pointed out.
“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said OCR Director Jocelyn Samuels. “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”
The OCR investigation also revealed that the hospital allegedly did not safeguard patient information per HIPAA obligations. While filming, the ABC media crew could have accessed most of the healthcare facility, including areas where PHI was stored.
“OCR also found that NYP failed to safeguard protected health information and allowed ABC film crews virtually unfettered access to its health care facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff,” reported HHS.
In a FAQ webpage, HHS explained how healthcare providers can remain HIPAA compliant while allowing media to access the treatment areas of its facilities.
“Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media,” explained HHS.
According to HHS, healthcare providers and media crews also cannot hide patient identities using methods such as voice altering, blurring of the face, and pixilation. Under the HIPAA Privacy Rule, providers must always acquire proper authorization from patients before media can access their PHI in the first place.
There are some cases where prior written authorizations is not required for a healthcare provider to release some PHI to the media, HHS pointed out. For example, providers may give the media limited PHI about an incapacitated patient in efforts to locate the patient’s family or identify the individual.
Additionally, this is not the first time that New York Presbyterian Hospital has agreed to pay in an OCR HIPAA settlement.
In 2010, New York Presbyterian Hospital and Columbia University paid $4.8 million in HIPAA settlement fines after an alleged healthcare data breach. An OCR investigation found a data network that was shared by both facilities inadvertently allowed ePHI to be accessible on web-based search engines.
The hospital paid $3.3 million out of the total settlement. OCR also developed a corrective action plan for the hospital, which included developing a risk analysis, implementing a risk management plan, reviewing policies, educating staff, and providing progress reports.