A recently publicized HIPAA breach at New York-Presbyterian Hospital involved unauthorized filming by a television film crew from ABC’s “NY Med,” a medical documentary series, of two patients at the hospital–one of whom was dying at the time of filming and has since passed away. In investigating this incident, the Office of Civil Rights (OCR) found that the hospital violated the HIPAA Privacy and Security Rules by allowing the film crew to film the two patients without their authorization, and by allowing the crew “virtually unfettered access to its health care facility.”
Aside from imposing a $2.2 million fine and 2-year corrective action plan as part of a settlement with the hospital, the incident gave OCR occasion to publish a new FAQ on the topic of health care providers’ interactions with media personnel in a HIPAA-compliant manner. In the FAQ, OCR has made it clear that health care providers may not allow the filming of patients without authorization, and that ad hoc measures geared at hiding the identity of patients (such as blurring or pixilation) do not cure such unauthorized filming. If filming is to occur in a treatment area, health care providers must ensure that authorizations are secured from all patients whose PHI may be accessible in any manner (whether in written, electronic, oral, or other visual or audio form) in that area—a likely impracticable requirement to satisfy in most cases, especially in a high-activity area such as an ER.
What does this mean for real-life dramas like NY Med? It may mean that the previously unfettered access that media personnel have enjoyed will take a backseat to patient privacy. It is important to recognize, however, that a health care provider’s approach to ensuring patient privacy must be more involved than posting a “No Filming Allowed” sign. As mentioned in the corrective action plan with New York Presbyterian, a robust set of policies and procedures, staff training (and re-training, as appropriate), and a system of imposing sanctions against staff who do not follow the policies and procedures are all critical components of HIPAA compliance as it relates to interacting with the media. Health care providers whose HIPAA compliance program falls short in any of these respects may do well to make enhancements.
An absolute prohibition on sharing PHI with the media may be unduly restrictive, and the FAQ helpfully outlines several exceptions to the general prohibition. In situations where media may assist a health care provider in locating family of an incapacitated patient, the health care provider may, without authorization, disclose to media certain limited information (such as location and general condition of the patient), if, in the provider’s professional judgment, doing so would be in the patient’s best interest. A provider may also disclose information about the location and general condition of a patient within its facility to media personnel that ask for that patient by name, provided the patient has not objected to being included in the facility’s directory. Additionally, sharing PHI with a film crew hired by the provider to create training videos in support of the provider’s health care operations is permissible without authorization if the provider enters into a business associate agreement with the film crew wherein the crew agrees, among other things, to use such PHI only for the limited purposes of its engagement, safeguard the PHI, and return or destroy all of the PHI once its work is completed.
Looking at the NY Med breach in the broader scheme of OCR enforcement activity confirms that HIPAA-regulated entities are now under more scrutiny than ever before. While incidents may be brought to OCR’s attention through complaints (as with the NY Med breach), OCR may also investigate HIPAA compliance on its own initiative–the recently-launched phase 2 of OCR’s audit program being a prime example. A thorough examination of how an entity protects the privacy and security of information as it is shared–through filming, mobile devices, portals, and other means–will go a long way toward ensuring HIPAA compliance.