The intent of HIPAA laws has always been to put patients’ privacy first. Sometimes even well-established institutions fail to operate from this perspective. Unfortunately, the “good enough” attitude in PHI area can cost upward of $2.2 million.
Following an investigation by the Department of Health and Human Services’ Office for Civil Rights, New York-Presbyterian Hospital has agreed to a settlement, which includes a $2.2 million penalty, staff training, increased privacy controls and monitoring by the HHS for 2 years. The agreement comes after the investigation into the hospital allowing a television crew to film two patients without their consent uncovered a multitude of additional HIPAA violations. The incident, which occurred in 2012, has prompted the HHS to more clearly define the rules revolving around the filming of patients. This baffling turn of events, which has slowly developed over the last 4 years, has illustrated just how costly it can be to take a “good enough” attitude towards HIPAA compliance and added weight to the HHS’ promise to investigate all complaints.
The film crew in question was working for a popular ABC reality series know as “NY Med”. The show followed a well-known surgeon around the hospital as he treated various patients. However, the hospital administration failed to acquire appropriate permission from the patients before allowing the show to film. Mark Chanko, one of the two patients involved in the investigation, died shortly after the show had filmed him while incapacitated in a hospital bed as a result of injuries he sustained after being hit by a garbage truck. While the show took steps to obscure the identity of the patients using techniques such as blurring their faces and using software to alter their voices, Mr. Chanko was still recognized by a family member who then filed a complaint with the HHS in January of 2013.
While using editing techniques to mask people’s identities has been something of a common practice in television for many years, the HHS says it’s not good enough. In the future, film crews will have to obtain direct authorization from all patients who are present in order to film. Some have speculated that this ruling from the HHS may end filming in hospitals almost entirely. A hospital the size of New York-Presbyterian should have known that allowing filming of patients without prior authorization would cause serious regulatory liabilities yet did nothing to ensure HIPAA privacy rules were being followed. Even worse, the HHS is claiming that the hospital chose to continue allowing filming even after a medical professional asked them to stop.
However, the trouble for New York-Presbyterian Hospital doesn’t end there. The HHS has also accused the hospital of allowing the ABC film crew “virtually unfettered access” to the facility, claiming that they created a situation in which PHI could not have been realistically protected from impermissible disclosure. Now the hospital has been left with a hefty bill, loss of reputation and a continued HHS presence to keep an eye on their compliance program for the next 2 years.
New York-Presbyterian is taking us back to basics and reminding us all that size of the organization doesn’t matter when it comes to protecting PHI.
There are many lessons to be learned from the failings of New York-Presbyterian. Most of the time, when there is a breach or other HIPAA violation by a large covered entity, there are numerous takeaways about how to best satisfy some of the more complicated aspects of the regulation. In this case, New York-Presbyterian is taking us back to basics and reminding us all that size of the organization doesn’t matter when it comes to protecting PHI. The hospital displayed an almost blatant disregard for the intent of HIPAA. They chose to believe that operating in one of the regulation’s various gray areas would be good enough. After all, there is no section of HIPAA that specifically states obscuring someone’s face is or isn’t an effective means of protecting their privacy.
Their first big mistake was the complete failure to acquire patient’s authorization to film. If the hospital was truly interested in protecting the privacy of their patients, and by extension their own bank account, they would have insisted on collecting written consent forms from each patient they intended to film. Adherence to this simple concept would have prevented the entire situation, especially considering that in Mr. Chanko’s condition he would not have been physically able to grant them permission to film. No one stopped to consider that the mere act of filming him, even with the understanding that ABC would later blur his face, could be considered an unauthorized disclosure. That film, by definition, is PHI. Allowing the unauthorized creation, disclosure and use of that PHI undoubtedly constitutes a breach. Rather than erring on the side of safety and abiding by the intent of the regulation, they hoped that editing the film to obscure the patient’s face would be good enough.
The hospital’s second major shortcoming was the reported carte blanche they gave the film crew in terms of access to the facility. By letting the film crew wander through large portions of the hospital at their own discretion, they created a situation where it would be next to impossible to ensure that additional breaches did not occur. Any number of patients may have been filmed without their consent, not to mention all of the charts, paperwork, and phone calls that may have ended up on film as well. In that situation, it is a near certainty that a large number of HIPAA rules were violated.
Another massive red flag that the hospital somehow missed, or chose to ignore the rules, is that a medical professional who saw what was going on reportedly warned them that they needed to stop filming. Instead of heeding this person’s warnings they chose to continue allowing the unauthorized filming, thus destroying any chance the hospital had of playing this off as an honest mistake or claiming a misunderstanding. Although neither of these claims would get them off the hook entirely, the HHS levies significantly lower fines when a violation is not a product of “willful neglect”. Considering all the facts, it comes at something of a surprise that New York-Presbyterian isn’t on the hook for a larger penalty than it is.
While HIPAA applies to the entirety of the healthcare industry, it is often times vague so as to remain flexible and scalable for any number or size of organizations. Intentionally trying to slip through the cracks is a sure-fire way to end up as the subject of an HHS investigation.
All of the available evidence indicates that the hospital violated a wide variety of HIPAA’s rules. However, the hospital is claiming that they did nothing wrong and is refusing to admit that they violated any aspect of HIPAA. A statement released by New York-Presbyterian claimed that they did not violate the privacy rule and that the show “garnered critical acclaim, and raised the public’s consciousness of important public health issues”. There is no exception outlined in HIPAA that says obvious violations of the rules are ok as long as your show gets good ratings. Furthermore, there are well-documented standards for de-identifying PHI for use in education and research, none of which include blurring patient’s faces after filming them without their consent or even the ability to give consent. However, this may be a necessary position for the hospital to take as they are now being sued in civil court by the Chanko family.
While it’s unknown if New York-Presbyterian’s administrative staff realized that what they were doing was going to lead to a dicey legal situation for them, it’s likely that no one familiar with HIPAA would think what they were doing was a good idea. Time and again we see that best practice when dealing with HIPAA is to act in favor of your patient’s rights. Always keeping in mind the spirit and intent of HIPAA is crucial when adapting it to real world practices. While HIPAA applies to the entirety of the healthcare industry, it is often times vague so as to remain flexible and scalable for any number or size of organizations. Intentionally trying to slip through the cracks is a sure-fire way to end up as the subject of an HHS investigation.
An incident like this goes to show us all that even large, seemingly competent, covered entities can fail at even the simplest aspects of HIPAA. It also highlights the HHS’ willingness to expand their already long list of privacy rules when prompted to do so as well as their tenacious nature in regards to investigating complaints. Hopefully, most health care providers would have the good sense not to get carried away with the idea of having a popular TV show to the point of disregarding their obligations under HIPAA. Thanks to New York-Presbyterian, we now have a federal directive specifically disallowing it – a lesson dearly learned for the princely sum of $2.2 million and counting.
Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital. (2016, April 21). Retrieved June 27, 2016, from http://www.hhs.gov/about/news/2016/04/21/unauthorized-filming-ny-med-results-22-million-settlement-new-york-presbyterian-hospital.html#
Ornstein, C. (2016, April 21). New York Hospital to Pay $2.2 Million Over Unauthorized Filming of 2 Patients. Retrieved June 27, 2016, from http://www.nytimes.com/2016/04/22/nyregion/new-york-hospital-to-pay-fine-over-unauthorized-filming-of-2-patients.html?_r=0
Goerdert, J. (2016, April 25). NYP hit with $2.2M fine for HIPAA violation in TV filming. Retrieved June 27, 2016, from http://www.healthdatamanagement.com/news/hipaa-violations-in-tv-filming-nets-nyp-a-22m-fine