On April 21, 2016, the Department of Health and Human Services ("HHS") Office for Civil Rights ("OCR") announced a $2.2 million settlement with a New York hospital ("Hospital") stemming from unauthorized patient filming by ABC's NY Med television show. In what OCR called an egregious disclosure of protected health information ("PHI") in violation of HIPAA, the Hospital did not obtain patient authorization for the filming and ABC's film crews had extensive access to the Hospital's facilities, which risked further impermissible disclosures of PHI. Beyond the $2.2 million monetary settlement, the Hospital must implement a comprehensive correction plan and be subject to OCR monitoring for two years.In August of 2012, the widow of a patient who died at the Hospital immediately recognized her husband as the individual being filmed during treatment as she watched an episode of NY Med. The family later filed a complaint with OCR, which investigated the matter and determined that the Hospital had improperly permitted the filming of patients without receiving HIPAA-required authorizations. While measures were taken to obscure the individual identities on NY Med, the HHS website states, "It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation, or voice alteration software) for whom an authorization was not obtained, because the HIPAA Privacy Rule does not allow media access to the patients' PHI, absent an authorization, in the first place."
This settlement is reminiscent of the 2013 OCR settlement with a California hospital involving the hospital's disclosure of PHI to the media in response to a patient complaint. As in this recent case, the California hospital did not have a patient authorization permitting the disclosure and was required to pay a monetary settlement and enter into a resolution agreement with HHS.
These OCR investigations and settlements should signal to covered entities the importance OCR is placing on the issue of patient privacy in the context of media access. Covered entities may believe discussions with or filming by the media serves a valuable purpose, such as educating the public on medical topics or as a way to effectively respond to complaints. However, even well-intentioned disclosures to the media can result in HIPAA violations if the proper authorizations are not obtained.
This is not the first enforcement action against the Hospital. In 2014, OCR settled with the Hospital and another covered entity for failing to secure the electronic PHI of 6,800 individuals that became available on the Internet.
Following this enforcement action, it is important for covered entities to understand and implement HIPAA's requirements regarding media access and patient filming. In particular, covered entities should take the following steps:
- Review and update HIPAA policies on media inquiries, disclosure of PHI and use of authorizations;
- Provide special training to workforce members who interact with media members;
- Confirm patient authorizations are in place and written agreements are signed with the media member dictating the terms and conditions of the media's access; and
- Ensure the covered entity maintains the security and integrity of its environment and PHI in the event patient filming takes place or when members of the media are on site.
More information on this enforcement action, including the resolution agreement and the OCR press release, is available here.