New York Presbyterian Hospital has reached a settlement with the Office for Civil Rights (OCR) to pay $2.2 million HIPAA violation fine for the unauthorized disclosure of two patients Protected Health Information (PHI). The PHI was released to film crews and staff during the filming of an ABC television series called “NY MED.” This was done without authorization from the patients. OCR discovered that North Presbyterian Hospital (NYP) allowed the ABC film crew to record someone dying, and another person who was in significant distress. This took place even after medical professionals urged the ABC film crew to stop.
“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said Jocelyn Samuels, OCR’s Director. “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”By allowing individuals who were receiving medical attention to be filmed without their knowledge or authorization by members of ABC filming crew, NYP’S blatantly violated the HIPAA rules. Rules that are specifically made in order to stop the disclosure of an individual’s PHI.”
Along with the $2.2 million dollar settlement New York Presbyterian Hospital is required to:
- Develop and revise all policies and procedures to comply with the Federal Standards that comply with privacy and security of PHI
- A process for evaluating and approving authorizations that request the disclosure of PHI
- Requirements that all photos, video, and audio recordings conducted are actively monitored by an appropriate employee for compliance with the Privacy Rule
- All members of NYP’s workforce are to receive training on the policies and procedures in order to comply with the Privacy Rule
This is the sixth HIPAA violation fine in 2016 by HHS (Read the previous resolution agreements here)
What is the specific HIPAA violation?
New York Presbyterian Hospital violated the HIPAA Privacy Rule by allowing the film crew to record both video and audio content of patients with out the proper authorization. OCR also found that NYP failed to safeguard PHI by allowing the ABC film crew virtually total access to the healthcare facility, which in return created an environment where PHI could not be properly protected from unauthorized disclosure to the ABC film crew and staff.
HIPAA Violations and Corrective Action Plan (CAP)
New York Presbyterian Hospital has agreed to pay HHS $2,200,000 (Resolution Amount) in order to settle potential violations of the HIPAA Rules. This settlement also includes a comprehensive corrective action plan (CAP) that includes two years of monitoring in order to ensure HIPAA compliance. This action plan will include training on the policies and procedures in order to fully comply with the Privacy Rule, along with requirements that all photos, video, and audio recording conducted be actively monitored by an appropriate employee for compliance with the Privacy Rule.
What could have been done differently?
Before filming any individuals receiving urgent or non-urgent medical care, proper authorization needs to be in place. HIPAA Rules are specifically designed to prohibit the disclosure of individual’s PHI which includes, images, audio, and video recordings, in circumstances such as these. ABC’s film crew technically did not do anything wrong. It is New York Presbyterian Hospital’s responsibility to protect and safeguard its patient’s PHI. Simply getting permission from the patients would have been sufficient in allowing ABC to film. However a covered entity, including a health care provider, may not use or disclose PHI, except either:
(1) As the HIPAA Privacy Rule permits or requires
(2) As the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
To learn more about how EHR 2.0 can help reduce HIPAA violation by setting up policies and procedures that will ensure your healthcare practice is and stays HIPAA compliant, please visit us at https://ehr20.com/services/