HIPAA violations result in $2.2 million settlement
May 4th, 2016
With the complexity and ever-changing nature of healthcare regulations these days, staying on top of the constant changes in, and expansion of, rules and mandates can seem like an overwhelming task. But it’s a critical one for any healthcare organization. Violations of these regulations can have serious financial and legal consequences for everyone involved.
Take NewYork-Presbyterian Hospital. The Department of Health and Human Services, Office for Civil Rights (OCR) announced Thursday that it has reached a $2.2 million settlement with the hospital for the “egregious disclosure” of two patients’ protected health information (PHI) to film crews and staff during the filming of the reality television show “NY Med,” without first obtaining authorization from the patients.
In particular, OCR found that the hospital allowed the television crew to film a dying patient and another person in significant distress, even after a medical professional urged the crew to stop, and also alleged that the hospital gave film crews “virtually unfettered” access to the facility, creating a situation where patient information could not be protected.
In a statement, NewYork-Presbyterian did not admit any wrongdoing and said it did not believe it had violated HIPAA’s privacy rules. In addition to paying the fine, it agreed to update its privacy policies and provide additional training to staff. The hospital will be monitored by OCR for two years to ensure compliance with HIPAA.
The settlement sparked OCR to clarify HIPAA rules regarding media access, and has made available a new FAQ sheet on the subject. It states that not only are covered entities prohibited from disclosing protected health information to members of the media without a prior patient authorization, they must also take affirmative steps to prevent incidental disclosures by ensuring that other PHI is not easily observable in the environment being photographed or filmed.
It also states that it’s not sufficient for a healthcare provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation, or voice alteration software) for whom an authorization was not obtained, because the HIPAA Privacy Rule does not allow media access to the patients’ PHI, absent an authorization, in the first place.
The NewYork-Presbyterian/OCR settlement, and the resulting new FAQ item, should come as no surprise to anyone familiar with HIPAA, or who has been monitoring OCR lately. OCR just recently announced a $750,000 settlement with an orthopedic group in North Carolina that disclosed PHI to a potential business partner without a business associate agreement.
One thing is clear – HIPAA violations are not something that OCR is taking lightly these days. The near-weekly settlement announcements over the past few months is proof of that.
It’s obviously more important now than ever for healthcare organizations to stay on top of healthcare compliance and regulations, and they can with Elsevier’s comprehensive learning products like EduCode Regulatory Essentials and HCPro Corporate Compliance and HIPPA libraries, which provide a comprehensive review of key requirements of HIPAA privacy and security provisions, confidentiality and patient rights, with specific lessons targeting “hot topics.”
There’s no time like the present to arm your staff with the targeted education they need when it comes to healthcare compliance.