The Department of Health and Human Services (HHS) has announced an $80,000 settlement of potential Privacy Rule violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving a New York-based, nonprofit academic medical center (and HIPAA covered entity (CE)). The enforcement action arose after a national news organization published an article about the medical center's COVID-19 response efforts that included photographs and information about patients being treated for COVID-19 at the medical center.
Comply with a two-year corrective action plan (CAP).
HHS began reviewing the medical center's HIPAA compliance after a national news organization published an article about the medical center's COVID-19 response efforts. The article included photographs and information about three patients who were being treated for COVID-19 at the facility. HHS's investigation indicated that the medical center disclosed patients' protected health information (PHI) to a reporter without the patients' authorizations in April 2020 (toward the start of the pandemic). According to HHS, the images at issue, which were distributed nationally, exposed PHI consisting of patients':
COVID-19 diagnoses.
Current medical statuses/prognoses, vital signs, and treatment plans.
For information on the COVID-19 national emergency and public health emergency, see:
Corrective Action Plan Addresses Policies, Procedures, Training, and More
In addition to the $80,000 payment, the medical center must comply with a CAP that imposes obligations involving HIPAA policies and procedures and training.
HIPAA Policies and Procedures
Regarding policies and procedures, the medical center must develop, maintain, and revise its written HIPAA policies and procedures to:
Specifically prohibit the use or disclosure of patients' PHI by the medical center's workforce members, agents, and HIPAA business associates (BAs) to persons and entities engaged in photography, video recording, and audio recording without authorizations from the patients or their authorized representatives (see Standard Document, HIPAA Business Associate Agreement).
Include a process for evaluating and approving requests concerning the use or disclosure of PHI before allowing third parties to access patient PHI, treatment areas, or other facility areas where PHI is accessible in written, electronic, or oral form (or other audio or visual forms).
Adopt an internal process that requires workforce members to promptly report violations of the medical center's HIPAA policies and procedures to the designated Privacy Officer and requires the medical center to promptly investigate and address reports of violations (see Practice Note, HIPAA Privacy Rule: Privacy and Security Officer).
Identify medical center personnel or representatives that workforce members, agents, or BAs may contact with questions about HIPAA compliance.
Require medical center personnel to actively monitor all photography, video recording, and audio recording conducted on medical center facilities by third parties, including for purposes unrelated to medical treatment.
Implement policies for the medical center to promptly investigate and address any reported violations.
Impose appropriate sanctions for workforce members who fail to comply with the medical center's policies and procedures.
The medical center must submit the revised policies to HHS for approval. After the policies are approved, the medical center must:
Finalize and adopt the policies and procedures, and timely distribute them to workforce members.
Obtain from each workforce member a written or electronic certification stating that the workforce member has read, understands, and will comply with the policies and procedures. The medical center may not allow a workforce member who has not provided this certification to access PHI.
Assess and, if necessary, revise the policies and procedures each year.
If the medical center's policies and procedures are revised going forward, the center must re-submit them to HHS for approval and obtain new compliance certifications from workforce members.
Reportable Events
The medical center also must report workforce members' violations, if any, of the approved policies and procedures (called reportable events) to HHS. The reports must include:
A full description of the event, including relevant facts, individuals involved, and any provisions of the medical center's HIPAA policies and procedures at issue.
A description of the actions the medical center took in response and to mitigate any harm and prevent future violations, including sanctions against workforce members.
Training
The medical center must submit its HIPAA training materials to HHS for approval. Once the training materials are approved, the medical center must:
Obtain a written or electronic certification from workforce members indicating they received and understood the training.
Review and, if necessary, update the training on an annual basis.
Not grant access to PHI to workforce members who did not provide the written or electronic certification.
Practical Impact
Early on in the COVID-19 pandemic (but after the events at issue in this latest HIPAA settlement agreement), HHS issued guidance addressing how HIPAA's privacy requirements may limit the filming of individuals receiving COVID-19 treatments in hospital settings. That guidance confirmed that the COVID-19 PHE did not alter the Privacy Rule's existing restrictions of individuals' PHI to the media. Under HIPAA, health providers and other CEs may not:
Provide the media, including film crews, access to areas of their facilities where patients' PHI is accessible in any form (including written, electronic, oral, or other visual or audio form), without first obtaining a written HIPAA authorization from each individual whose PHI would be accessible to the media.
Require patients to sign HIPAA authorization as a condition of receiving treatment.