NY Presbyterian Hospital Slapped With Second HIPAA FineThis Time, Hospital Cited for Inappropriately Allowing Filming of Patients
For the second time in two years, federal regulators have slapped New York Presbyterian Hospital with a multi-million dollar penalty as part of a HIPAA settlement.
See Also: DevOps - Security's Big Opportunity
The Department of Health and Human Services' Office for Civil Rights says it reached a $2.2 million settlement with the hospital after determining it allowed a TV crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.
The financial penalty stems from "the egregious disclosure of two patients' protected health information to film crews and staff during the filming of 'NY Med,' an ABC television series, without first obtaining authorization from the patients," OCR says.
"This case sends an important message that OCR will not permit covered entities to compromise their patients' privacy by allowing news or television crews to film the patients without their authorization," says Jocelyn Samuels, director of OCR in the statement. "We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients' privacy is fully protected."
OCR says that by allowing individuals receiving urgent medical care to be filmed without their authorization, the hospital "blatantly violate the HIPAA rules, which were specifically designed to prohibit the disclosure of individual's PHI, including images, in circumstances such as these."
In addition, OCR says it found that the hospital allowed ABC film crews "virtually unfettered access to its healthcare facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff."
As part of a resolution agreement, OCR says it will monitor New York Presbyterian for two years, "helping ensure that [the hospital] will remain compliant with its HIPAA obligations while it continues to provide care for patients."
Under a corrective action plan that is also part of the settlement, New York Presbyterian, among other things, agreed to:
- Develop, maintain and revise, as necessary, its written policies and procedures to comply with the HIPAA privacy and security regulations;
- Submit those policies and procedures to HHS for approval, after which they are to be implemented; and
- Train all members of its workforce on those policies and procedures.
"OCR should be applauded for standing up to NY Presbyterian's aspirations for television stardom by sending the clear message that patient's do not leave their right to privacy at the emergency room door," says privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek.
"Before allowing a camera to record the action in the emergency department, there should have been a careful review of the scenarios in which identifiable patient images would have been captured; how to obtain the necessary patient authorization prior to bringing the film crew into the treatment setting; how to deal with patients who are unconscious or otherwise unable to provide meaningful authorization; and ensuring institutional review of any recording prior to broadcast so that PHI, for which no authorization to disclose has been obtained, is left on the cutting room floor," he says.
This is the second time New York Presbyterian has been slapped with a hefty fine from OCR for "potential HIPAA violations."
In May 2014, HHS issued its largest HIPAA enforcement action to date, entering settlements totaling $4.8 million with New York Presbyterian and Columbia University following an OCR breach investigation.
The two New York organizations - which operate a shared data network and a shared network firewall administered by employees of both entities - submitted to OCR a joint breach report, dated Sept. 27, 2010, regarding the disclosure of the electronic PHI for about 6,800 patients (see $4.8 Million Settlement for Breach).
New York Presbyterian paid OCR a monetary settlement of $3.3 million, while Columbia University paid $1.5 million. The settlements cited, among other factors, the lack of a risk analysis and failure to implement appropriate security policies.
New York Presbyterian did not immediately respond to Information Security Media Group's request for comment on its latest HIPAA settlement.
So far this year, OCR has announced six HIPAA enforcement actions. On April 20, the office announced it had reached a $750,000 settlement with Raleigh Orthopaedic Clinic in a case stemming from the lack of a business associate agreement.