The Department of Health and Human Services Office for Civil Rights (“OCR”) fined three separate hospitals a cumulative total of $999,000 to settle potential violations of HIPAA arising from allowing film crews on premises to film a reality television show without first obtaining patient authorizations. The OCR Resolution Agreement can be found here.
Generally, a covered entity may not use or disclose a patient’s protected health information (“PHI”) without a HIPAA-compliant authorization, unless that use or disclosure meets a HIPAA exception. When a third party is invited or permitted by a covered entity to film on premise, any patient images and information recorded could be considered PHI. In these instances, it can be difficult to distinguish whether the patient is releasing their own information or if the covered entity is using or disclosing the patient’s PHI.
When a covered entity has invited a third party on site, the covered entity will likely be considered to be “disclosing” the patient’s PHI by facilitating the filming, even if the patient willingly participates. When PHI is disclosed in this manner, the covered entity should obtain a HIPAA-compliant authorization from any patient being filmed or their authorized representative. The authorization should accurately reflect how the recorded materials will be utilized to ensure that the patient fully understands how their PHI may be used and disclosed.
Additionally, covered entities allowing filming or recording on premises should not only obtain necessary HIPAA authorizations but should also enter into an agreement with any third party entity filming or recording patients. The agreement should set forth the parameters for accessing the premises and filming. It should also establish additional safeguards against violations of patient privacy, such as a contractual requirement to obfuscate the images or identifying information of patients who did not sign a HIPAA authorization. Finally, in instances where the third party entity is conducting such filming or recording on behalf of the covered entity itself, such as filming a patient testimonial, a HIPAA-compliant Business Associate Agreement would be required.
Covered entities can mitigate the risk of such violations by ensuring that they have policies and procedures in place to address filming or recording of patients and by training their workforce members on those policies and procedures.