Enter to open, tab to navigate, enter to select
Television Crew's Filming of Hospital Patients Results in HIPAA Settlements Totaling Nearly $1 Million
Practical Law Legal Update w-016-7101 (Approx. 6 pages)
Television Crew's Filming of Hospital Patients Results in HIPAA Settlements Totaling Nearly $1 Million
by Practical Law Employee Benefits & Executive Compensation
| Published on 21 Sep 2018 • USA (National/Federal) |
The Department of Health and Human Services (HHS) announced settlements totaling nearly $1 million with three Boston-area hospitals for potential violations of the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA). The enforcement actions arose after news stories indicated that the hospitals had allowed television film crews to film a medical documentary series at their facilities without first obtaining authorization from the hospitals' patients.
On September 20, 2018, HHS announced settlements totaling nearly $1 million with three Boston-area hospitals (and HIPAA covered entities) regarding potential violations of HIPAA's Privacy Rule (see Practice Note, HIPAA Privacy Rule and HIPAA Privacy, Security, and Breach Notification Toolkit).
Between December 2014 and January 2015, HHS began reviewing the hospitals' Privacy Rule compliance after news stories indicated that the hospitals had allowed television film crews to film a medical documentary series at their facilities. In some cases the hospitals had reviewed and assessed patient privacy issues concerning the filming and adopted protections concerning patient privacy, for example, providing the film crews with the same HIPAA privacy training that workforce members received (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials). Despite these protections, however, HHS concluded in its investigations that the hospitals:
- Impermissibly disclosed patients' protected health information (PHI) to the television crews by permitting filming without first receiving patient authorizations.
- Failed to adequately safeguard patient PHI from disclosure.
HHS entered into separate settlement agreements with the three hospitals (one agreement for $515,000, a second agreement for $384,000, and a third agreement for $100,000), which collectively totaled nearly $1 million.
Hospitals' Corrective Action Plan Obligations
The settlement agreements involving two of the hospitals are substantially similar in many aspects and include the requirements addressed below.
HIPAA Policies and Procedures
Regarding policies and procedures, the two hospitals must:
- Develop, maintain, and revise their written HIPAA policies and procedures to:
- specifically prohibit the use or disclosure of PHI for photography, video recording, and audio recording that is not otherwise permitted under the HIPAA Privacy Rule until valid authorizations are obtained from the patients who are the subject of the PHI;
- include a process for evaluating and approving media requests to film in non-public areas of the hospitals' premises to ensure that appropriate safeguards are in place and that compliant authorizations have been received;
- identify hospital personnel or representatives that workforce members, agents, or business associates may contact with questions about HIPAA compliance and filming-related activities;
- require hospital personnel to actively monitor all photography, video recording, and audio recording conducted on hospital facilities by media in non-public areas for purposes unrelated to medical treatment;
- adopt internal reporting procedures requiring workforce members to report possible violations of the hospitals' HIPAA policies and procedures as soon as possible to the designated person or office;
- implement policies for the hospitals to promptly investigate and address any reported violations; and
- apply appropriate sanctions for workforce members who fail to comply with the hospitals' policies and procedures.
- Provide their new and updated HIPAA policies and procedures to HHS for approval within 60 days of the CAP's effective date.
- Finalize and adopt the policies and procedures within 90 days of HHS's approval.
- Distribute the policies and procedures to workforce members within 90 days of HHS's approval or, in the case of new workforce members, within 30 days of their start date.
- Assess and, if necessary, revise the policies and procedures each year.
Reportable Events
The two hospitals must also report workforce members' violations, if any, of the approved policies and procedures (called reportable events) to HHS. The hospitals' reports must include:
- A full description of the event, including relevant facts, individuals involved, and any provisions of the hospitals' HIPAA policies and procedures at issue.
- A description of the actions the hospitals took in reponse and to mitigate any harm and prevent future violations.
Training
Regarding workforce members who are responsible for determining whether to allow media access or filming, the two hospitals must:
- Provide training on the hospitals' policies and procedures within 90 days of their implementation date or, in the case of new workforce members, within 60 days of their start date (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials).
- Require a written or electronic certification from workforce members indicating they received and understood the training.
- Review and, if necessary, update the training on an annual basis.
- Not grant access to PHI to workforce members who did not provide the written or electronic certification.
Settlement Agreement for Third Hospital
Under the settlement agreement for the third hospital in this enforcement action, the hospital agreed to make a $100,000 payment. The third hospital also entered into a CAP under which it must (among other requirements) timely email its workforce members to remind them about its policy on filming patients for non-medical reasons. The email will include HHS's FAQs on permitting members of the media to enter the hospital's facilities without prior authorization. The third hospital's CAP also contains document retention and breach provisions.
Practical Impact
This is not the first time in recent years that a hospital has become the subject of an HHS settlement agreement for improperly disclosing patients' PHI by allowing television crews to film onsite in otherwise non-public areas of the hospital. In 2016, HHS reached a $2.2 million settlement with a New York hospital for what the government characterized as an "egregious disclosure" of two patients' PHI without obtaining the patients' authorization. In that incident, which involved production of the "NY Med" television series, the hospital had permitted the television crew to film one patient who was dying and a second who was in significant distress. At the time, at least one health care professional had urged the television crews to stop filming.
Judging from the relatively smaller payments imposed in these more recent settlements, the disclosures of patient PHI here were apparently less egregious than in the 2016 incident. Moreover, as noted, at least two of the hospitals involved had attempted to implement safeguards for patient privacy, which HHS may have considered as a mitigating factor.
Although it's hard to imagine a television crew being invited to film the inner workings of an employer's health plan (as a HIPAA covered entity) and its business associate-TPAs and subcontractors, these latest settlement agreements underscore the importance of HIPAA's restrictions concerning who is allowed to access individuals' PHI. The agreements are also of interest regarding HHS's methods for discovering potential HIPAA violations. For example, HHS's compliance review of one of the hospitals resulted from a news story posted on the hospital's own website indicating that a television crew would be filming a medical documentary program at the hospital.
For analysis of other HHS settlements with HIPAA covered entities and business associates, see Practice Note, HIPAA Enforcement: Settlement Agreements.