$2.2 Million OCR Settlement for Egregious Disclosure of PHI

BobGrant1By Bob Grant, Chief Strategy Officer, Compliancy Group
Twitter: @compliancygroup

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that New York Presbyterian Hospital would be required to pay a $2.2 million settlement after the “egregious disclosure” of two patients’ protected health information (PHI). NYP allowed an ABC film crew and staff from the show “NY Med” to film two patients, one of whom was dying, and another experiencing serious distress. OCR discovered that the crew was allowed to continue filming, even after being urged to stop by a hospital employee.

“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said OCR Director, Jocelyn Samuels. “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”

OCR commented on the case, citing blatant violations to HIPAA regulation that deal with the protection of patients’ PHI. OCR also found that the ABC film crew was given “virtually unfettered” access to the NYP facilities without having taken any safeguards to protect PHI the crew may have encountered.

[tweet_box design=”default” float=”none”]Blatant #HIPAA violations dealing with protection of patients’ #PHI leads to $2.2M OCR fine @compliancygroup[/tweet_box]

OCR also provided clear guidance on the matter of PHI and the media, saying: “Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media.”

This $2.2 million settlement comes only a few years after NYP and Columbia University paid a joint $4.8 million settlement after a massive data breach. With a history of major fines behind them, OCR has made specific provisions to monitor NYP over the next two years to ensure that they maintain compliance with HIPAA regulation and avoid these kinds of unauthorized, insensitive breaches of PHI and patient privacy.

About the Author: Bob Grant is the Chief Strategy Officer of the Compliancy Group. The Compliancy Group offers a suite of products and solutions to help you meet HIPAA Compliance. Attend one of their upcoming free educational webinars or schedule a demo of the company’s all-in-one compliance product, The Guard. This article was originally published on the Compliancy Group blog and is republished here with permission.