Washington, D.C. – The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced it reached a $2.2M court settlement with the New York Presbyterian Hospital for its calamitous infraction of HIPAA privacy rules. This settlement was announced April 21, 2016.
The hospital made an amateur and egregious error when it disclosed the protected health information of two of its patients. The hospital provided this information to film crews and their staff during the filming of an ABC television series called “NY Med.” The hospital provided the protected information to without consulting with and obtaining authorization from the patients. In point of fact, OCR has claimed that the hospital allowed the film crew to visually document a patient dying and another patient in significant distress. This was done even after medical staff pleaded that the crew stop. OCR’s subsequent investigation had found that the film crew was also given near to completely unfettered access to the hospital and its patients—potentially infringing upon the protected health information of every other patient.
Such catastrophic infractions of HIPAA privacy & security law are notable in that they could have easily been prevented with Certified HIPAA Privacy Security Expert (CHPSE) education and training of the compliance staff. It is important to note that with the potency of federal penalties, HIPAAtraining.net stands as the only resolute prevention to human error; which, is the most rational interpretation of the events at New York Presbyterian.
OCR has also made a point to emphasize its role in doling out well-investigated and proper justice to those who break HIPAA law. Jocelyn Samuels, Director of the OCR, stated “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization.” She continued, “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”
Director Samuels, in more ways than one reaffirmed the necessity for proper execution of HIPAA privacy rules, as well as the top to bottom training of all healthcare employees. To momentarily digress, training also provides supplemental protection from various audits currently being executed by the OCR.
OCR released this statement the day the settlement was released, “By allowing individuals receiving urgent medical care to be filmed without their authorization by members of the media, NYP’s actions blatantly violate the HIPAA Rules, which were specifically designed to prohibit the disclosure of individual’s protected health information, including images, in circumstances such as these.”
OCR is confident in their ability to investigate, identify, and in more serious cases, punish, covered entities and their business associates. At the same time it is important that those who must comply with HIPAA law are equally confident in their ability to prevent the million dollar mistakes that New York Presbyterian fell upon. To be forthright, HIPAAtraining.net could have saved New York Presbyterian $2.2M, OCR probationary status, and the public relations nightmare which the hospital has been forced to endure. It’s simple, ensuring that healthcare employees know healthcare law is a logical imperative.