A New York hospital has settled with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) for $2.2 million after allowing a TV crew for the ABC documentary series “NY Med” to film patients receiving medical treatment without obtaining prior authorization from the patients or their representatives. The estate of one those patients is also suing the hospital and the physician who treated the patient in state court for violating patient-physician confidentiality. According to a recent order in that case, the patient’s widow first learned that her husband had been filmed in the hospital while watching an episode of “NY Med” months after his death. She recognized the scene at the hospital, heard her husband’s voice as he was receiving treatment, and watched him die.
According to OCR, the hospital “blatantly” violated the HIPAA Privacy Rules when it allowed patients receiving urgent medical care to be filmed without their authorization. In addition to failing to obtain patient authorization, OCR’s investigation confirmed that the hospital failed to appropriately and reasonably safeguard protected health information (“PHI”) during the filming of the show. The OCR found that the hospital allowed the ABC film crews “virtually unfettered access” throughout the hospital, which created an environment where PHI could not be protected from impermissible disclosure to the film crew. OCR’s frequently asked questions section of its website provides insight on the presence of film crews at provider sites, recognizing that hospitals often work with the media to promote services and programs but must do so in a manner that protects PHI.
In announcing the settlement, the Director of OCR reiterated the agency’s commitment to ensuring that patients’ privacy is fully protected and emphasized that “this case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization.” This is the second settlement by OCR in the last two months related to a covered entity allowing a disclosure of a patient’s image without first obtaining written authorization from the patient. In February 2016, a physical therapy practice settled with the OCR for $25,000 and entered a corrective action plan after posting patient testimonials and full facial images of patients on its website without first obtaining authorization from the patients.
Covered entities should re-assess their existing policies and procedures regarding photographing and filming patients and carefully review the settlement which requires the hospital to revise its HIPAA policies and procedures to include:
- A specific prohibition on the use or disclosure of PHI by hospital workforce members and business associates to any person or entity planning, coordinating or engaging in photography, video recording or audio recording without the prior authorization of the patient who is the subject of the PHI sought to be disclosed or his or her personal representative;
- A process for evaluating and approving authorizations requesting the disclosure of PHI;
- Identification of hospital personnel to be contacted by workforce members or business associates in the event of any concern regarding compliance with HIPAA;
- A requirement that all photography, video recording and audio recording conducted on the hospital’s premises be actively monitored by appropriate hospital representatives for compliance with the HIPAA Privacy Rule and the hospital’s policies;
- Procedures for prompt investigation and resolution of claims that policies may have been violated; and
- Application of appropriate sanctions against members of the hospital’s workforce, including supervisors and managers, who fail to comply with the hospital’s policies and procedures.
Before undertaking marketing that will involve filming of patients or hospital operations, covered entities should consult with their HIPAA Privacy Officer or experienced health care counsel to ensure that the privacy of patients is protected as required by HIPAA and applicable state confidentiality laws.