HHS Resolution Agreements: Boston Medical Center Corp. (Aug. 3, 2018); Brigham and Women’s Hosp., Inc. (Sept. 6, 2018); The General Hosp. Corp. d/b/a Mass. Gen. Hosp. (Sept. 6, 2018); HHS Press Release (Sept. 20, 2018)
HHS’s Office for Civil Rights (OCR) has announced settlements totaling nearly $1 million with three health care facilities (HIPAA covered entities) that compromised the privacy of patients’ protected health information (PHI) by inviting camera crews on premises to film a television documentary series, without first obtaining the patients’ authorizations. OCR’s press release noted that this is the second settlement involving the filming of a documentary. In 2016, a $2.2 million settlement resolved similar charges against another facility that allowed television crews to film patients without first obtaining authorizations (see our Checkpoint article).
In addition to the settlement payments, each facility has agreed to a corrective action plan (CAP). All three CAPs focus on communicating to workforce members each facility’s policies and procedures regarding filming patients for non-clinical purposes, including when the filming is done by the news media. Two of the CAPs require additional policies and procedures that prohibit use or disclosure of PHI for photography or audio or video recording unless permitted by the privacy rule or done with the prior authorization of affected patients or their personal representatives. These two CAPs elaborate on the expected content of the additional policies and procedures, including processes for evaluating and approving media requests to film in non-public areas, designating workforce members responsible for actively monitoring media activities in these areas, internal reporting procedures, and sanctions for violations.
EBIA Comment: Group health plans and their business associates are unlikely to encounter this specific issue since their operations are unlikely to be considered “must-see TV.” Still, these settlements provide important reminders. First, information that identifies, or can be used to identify, individuals may be PHI, even if the individuals are not specifically named. Health plans and business associates should scrutinize information to determine whether it is PHI, and, if so, whether and under what circumstances it can be used and disclosed. Second, HIPAA generally does not recognize implied authorizations to use or disclose PHI. In situations where an authorization is required, the authorization must be in writing and must include all required elements. Even when individuals initiate public disclosure of their own PHI, covered entities and business associates should not assume that the individuals have waived their privacy rights (see our Checkpoint article). It is also worth noting that efforts by two of the facilities to implement various privacy protections—including privacy training for the television crews—did not cure the facilities’ failure to obtain individuals’ authorizations. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XXVI (“Core Privacy Requirement #1: Use and Disclosure Rules”).
Contributing Editors: EBIA Staff.