The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced today that New York Presbyterian Hospital would be required to pay a $2.2 million OCR settlement after the “egregious disclosure” of two patients’ protected health information (PHI). NYP allowed an ABC film crew and staff from the show “NY Med” to film two patients, one of whom was dying, and another experiencing serious distress. OCR discovered that the crew was allowed to continue filming, even after being urged to stop by a hospital employee.
“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said OCR Director, Jocelyn Samuels. “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”
OCR commented on the case, citing blatant violations to the HIPAA regulation that deal with the protection of patients’ PHI. OCR also found that the ABC film crew was given “virtually unfettered” access to the NYP facilities without having taken any safeguards to protect PHI the crew may have encountered.
OCR also provided clear guidance on the matter of PHI and the media, saying: “Healthcare providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media.”
This $2.2 million OCR settlement comes only a few years after NYP and Columbia University paid a joint $4.8 million settlement after a massive data breach. With a history of major fines behind them, OCR has made specific provisions to monitor NYP over the next two years to ensure that they maintain compliance with the HIPAA regulation and avoid these kinds of unauthorized, insensitive breaches of PHI and patient privacy.