HHS HIPAA Settlement Reminds Hospitals to Obtain Patient Authorization Prior to Filming
The Department of Health and Human Services, Office for Civil Rights (OCR) recently announced that it has reached separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising the privacy of patients’ protected health information (PHI) by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients. Collectively, the three entities paid OCR $999,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
This is the second HIPAA case involving an ABC medical documentary television series, the previous being OCR’s April 16, 2016 settlement with New York-Presbyterian Hospital in association with the filming of “NY Med.”
To resolve potential HIPAA violations, BMC has paid OCR $100,000, BWH has paid OCR $384,000, and MGH has paid OCR $515,000. Each entity will provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media.
This settlement serves as an excellent reminder to health care entities about the HIPAA privacy rule and requirements around allowing media personnel, including film crews, into treatment or other areas of their facilities where patients’ protected health information (PHI) will be accessible in written, electronic, oral, or other visual or audio form. Prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media must always be obtained.
As a reminder, a covered entity, including a health care provider, may not use or disclose PHI except either:
- as the HIPAA Privacy Rule permits or requires; or
- as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Generally, the HIPAA Privacy Rule does not permit health care providers to disclose PHI to media personnel, including film crews, without having previously obtained a HIPAA-compliant authorization signed by the patient or his or her personal representative.
In other words, health care providers may not allow members of the media, including film crews, into treatment areas of their facilities or other areas where PHI will be accessible in written, electronic, oral or other visual or audio form, without prior authorization from the patients who are or will be in the area or whose PHI will be accessible to the media. It is not enough for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation, or voice alteration software) for whom an authorization was not obtained, because the HIPAA Privacy Rule does not allow media access to the patients’ PHI, absent an authorization, in the first place.
This is a StayAlert! notice that also provides two example policies: Recordings, Films or Other Images of Patients and Authorization and Consent Form – Recordings, Films or Other Images, and Publication.
Sign up for a FREE 30-Day Trial of StayAlert! to gain access to the above policies and to get more notices and example policies and procedures directly to your inbox.
Document Compliance Software Solutions
For Healthcare. By Healthcare Experts.