Healthcare News & Insights

Recent settlements show cost of HIPAA violations

The feds are constantly on the lookout for HIPAA violations – and one high-profile case involving a reality show filmed at a hospital shows just how costly they can be for facilities. 

GettyImages-480940200Last year, New York Presbyterian Hospital came under fire while it was in the midst of filming NY Med, a show chronicling the real-life efforts of providers to treat patients in its emergency department.

According to an article in Bloomberg BNA, the show’s film crew ended up capturing the last moments of one patient’s life without his express permission, despite objections from a medical professional. It also filmed another patient in extremely critical condition.

The family of the deceased patient sued New York Presbyterian, claiming it shouldn’t have allowed cameras to film the death of their loved one. A New York court recently reinstated the civil charges against the hospital.

The case also caught the attention of the Department of Health and Human Services’ Office for Civil Rights (OCR).

Per a press release, the agency accused the hospital of committing an egregious HIPAA violation by letting the NY Med film crew have essentially unrestricted access to film what went on in the hospital. That meant patients’ protected health information (PHI), including their images, wasn’t safeguarded well enough.

New York Presbyterian opted to settle the charges for a hefty sum: $2.2 million.

As part of the settlement, the OCR will monitor the hospital for two years to make sure it stays compliant with HIPAA laws. In a statement sent to Bloomberg about the incident, the hospital insisted that the filming didn’t violate any privacy laws and that it entered the settlement “to bring closure to OCR’s review process.”

However, this situation serves as a sobering reminder to hospitals that any images taken of patients for media or marketing purposes must be used with the person’s explicit consent – even if the person may not be readily identifiable at first glance. Erring on the side of caution is a facility’s best bet for avoiding problems.

Enforcement actions

The OCR’s cracking down on facilities for other HIPAA violations, too. As discussed in an article from Data Breach Today, the agency’s already taken enforcement actions against six covered healthcare entities for issues with privacy and security this year.

Shortly before its settlement with New York Presbyterian, the agency settled with Raleigh Orthopaedic Clinic for $750,000 due to its failure to establish a business associate agreement before disclosing the PHI of over 17,000 patients to a potential business partner.

The OCR also entered into a $1.55 million settlement agreement with North Memorial Health Care of Minnesota in March for failing to create a business associate agreement and conduct a risk analysis. The health system’s lack of appropriate protections may have compromised the PHI of thousands of patients after an unencrypted laptop was stolen from a business associate’s vehicle.

Besides these instances, the OCR’s recently gone after covered entities for improperly disclosing patients’ PHI and failing to take the appropriate steps to secure PHI taken offsite to multiple locations.

Implications for hospitals

From these examples, it’s clear: The OCR is investigating suspected HIPAA violations of all kinds right now – and having violators pay big bucks to settle the allegations.

Plus, OCR recently announced that it has launched Phase 2 of its HIPAA audit program, meaning more facilities could land in its crosshairs soon for privacy issues both large and small.

Now’s the time to make sure all your policies regarding patients’ PHI meet federal standards and that all your facility’s efforts to protect confidential patient information are documented in writing. It’s also important that patients understand their full rights under HIPAA and that the information is disclosed to them clearly and concisely.

  • Medipliance

    To avoid any HIPAA vioilations to Medical Office, Group Practice, Surgery Center and Solo Practitioners/ They need to undergo training, documentation and risk assessment. And we believe here in Medipliance we can help you to meet all the requirements needed. For more information, please visit our website at: https://www.medipliance.com/

  • @medipliance:disqus Agreed…In my opinion, there should be a minimum level of competence that is tied to Licensure. When I was first Introduced to HIPAA in my Professional role, it was presented as a strongly encouraged form of etiquette. My how times have changed! Yet I am unsure how the frontlines are being made aware of that their is now a “Sheriff” in town.

  • J.D.

    We recently got bills from a local (LARGE) med. clinic (2 months in a row) which had names, medical procedures, and bills/charges for FOUR other people included on them. (We do NOT know the people). We called the clinic immediately after the first bill, but then got another one with more people’s info a month later! When I sent copies to their “patient care” rep, she didn’t help or answer any questions or verify that they self-respect Ed the breaches… Nor did they come tact our insurance co. to make sure that got cleared up… All they did was send us a letter trying to order us to destroy the bills… (We didn’t and wont) They still have not showed us in any way that they self-reported, NOR did they even tell us that OUR info had not been sent out to these other people… I’m absolutely disgusted and will definitely be reporting them for MULTIPLE Hipaa violations.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.