The feds are constantly on the lookout for HIPAA violations – and one high-profile case involving a reality show filmed at a hospital shows just how costly they can be for facilities. 

GettyImages-480940200Last year, New York Presbyterian Hospital came under fire while it was in the midst of filming NY Med, a show chronicling the real-life efforts of providers to treat patients in its emergency department.

According to an article in Bloomberg BNA, the show’s film crew ended up capturing the last moments of one patient’s life without his express permission, despite objections from a medical professional. It also filmed another patient in extremely critical condition.

The family of the deceased patient sued New York Presbyterian, claiming it shouldn’t have allowed cameras to film the death of their loved one. A New York court recently reinstated the civil charges against the hospital.

The case also caught the attention of the Department of Health and Human Services’ Office for Civil Rights (OCR).

Per a press release, the agency accused the hospital of committing an egregious HIPAA violation by letting the NY Med film crew have essentially unrestricted access to film what went on in the hospital. That meant patients’ protected health information (PHI), including their images, wasn’t safeguarded well enough.

New York Presbyterian opted to settle the charges for a hefty sum: $2.2 million.

As part of the settlement, the OCR will monitor the hospital for two years to make sure it stays compliant with HIPAA laws. In a statement sent to Bloomberg about the incident, the hospital insisted that the filming didn’t violate any privacy laws and that it entered the settlement “to bring closure to OCR’s review process.”

However, this situation serves as a sobering reminder to hospitals that any images taken of patients for media or marketing purposes must be used with the person’s explicit consent – even if the person may not be readily identifiable at first glance. Erring on the side of caution is a facility’s best bet for avoiding problems.

Enforcement actions

The OCR’s cracking down on facilities for other HIPAA violations, too. As discussed in an article from Data Breach Today, the agency’s already taken enforcement actions against six covered healthcare entities for issues with privacy and security this year.

Shortly before its settlement with New York Presbyterian, the agency settled with Raleigh Orthopaedic Clinic for $750,000 due to its failure to establish a business associate agreement before disclosing the PHI of over 17,000 patients to a potential business partner.

The OCR also entered into a $1.55 million settlement agreement with North Memorial Health Care of Minnesota in March for failing to create a business associate agreement and conduct a risk analysis. The health system’s lack of appropriate protections may have compromised the PHI of thousands of patients after an unencrypted laptop was stolen from a business associate’s vehicle.

Besides these instances, the OCR’s recently gone after covered entities for improperly disclosing patients’ PHI and failing to take the appropriate steps to secure PHI taken offsite to multiple locations.

Implications for hospitals

From these examples, it’s clear: The OCR is investigating suspected HIPAA violations of all kinds right now – and having violators pay big bucks to settle the allegations.

Plus, OCR recently announced that it has launched Phase 2 of its HIPAA audit program, meaning more facilities could land in its crosshairs soon for privacy issues both large and small.

Now’s the time to make sure all your policies regarding patients’ PHI meet federal standards and that all your facility’s efforts to protect confidential patient information are documented in writing. It’s also important that patients understand their full rights under HIPAA and that the information is disclosed to them clearly and concisely.