Unauthorized TV Cameras in Hospitals Yield Costly HIPAA Penalties of $999,000
For the second time in as many years, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into settlement agreements with and levied hefty fines on three hospitals that allegedly impermissibly disclosed patients’ protected health information to ABC News in the course of filming a television network documentary series. OCR announced on September 20 that Boston Medical Center, Brigham and Women’s Hospital and Massachusetts General Hospital each reached agreements with HHS in which they agreed to pay a collective $999,000 to settle potential violations of the HIPAA Privacy Rule. According to each of the settlement agreements, HHS alleges that the covered entities allowed film crews into patient areas of the hospitals in late 2014 and January 2015 without appropriately safeguarding patients’ PHI from disclosure. In April 2016, a New York hospital agreed to pay $2.2 Million and enter into a settlement agreement and corrective action plan with OCR for similar alleged HIPAA violations that occurred during the filming of the television show “NY Med.”
The take away for covered entity providers, here, is that written authorization from patients must be obtained prior to allowing media personnel to enter non-public areas of facilities and especially prior to allowing filming of patients for non-clinical purposes, including for medical documentaries, news pieces, or tv dramas. As OCR made clear in its FAQ guidance document on this topic, it is not sufficient to simply require the film crew to later obscure the identity (via blurring, pixilation, or voice alteration) of any patients whose image or voice were recorded but who did not provide written authorization because the HIPAA Privacy Rule does not allow media access to the patients’ PHI in the first place absent an authorization. When providers require filming services to produce training videos or marketing materials in which patients are identified or PHI may be accessible, entering into a HIPAA business associate agreement is the best practice in addition to obtaining prior written authorizations from patients whose PHI is included in any public materials.