HIPAA Compliance Failures Make for Bad Television

In response to the increased media presence in hospitals, the Department of Health and Human Services (“HHS”) issued guidance this week reminding health care providers that the COVID-19 outbreak does not change HIPAA’s privacy rules with respect to giving the media access to treatment areas. The guidance reinforces and amplifies existing HHS guidance by providing examples of its application to the COVID-19 public health emergency.

A patient receiving treatment in a health care facility is typically surrounded by protected health information (“PHI”), which includes health information in any form or medium (e.g., oral communications, life function monitors, charts, etc.). HHS’s guidance provides several examples of PHI in treatment areas, including how the mere presence of a patient in the area of a health care facility dedicated to treating a specific disease, such as COVID-19, reveals the patient’s diagnosis. As such, members of the media entering a health care facility’s treatment areas immediately have access to PHI they can see, hear and record.

HIPAA’s privacy rules do not permit health care providers to give members of the media access to any areas of their facilities where patients’ PHI will be accessible without first obtaining written authorization from each patient:

  • who is or will be present in the area, or
  • whose PHI will be accessible to the media.
This is the case even if the media obscures a patient’s identity. The written authorization must comply with HIPAA content requirements and may be provided by a patient’s personal representative to the extent permitted under HIPAA.

In addition to obtaining a valid HIPAA authorization, health care providers must put in place reasonable safeguards to prevent the impermissible or incidental disclosure of PHI for which no prior authorization has been obtained. HHS's guidance provides examples of safeguards to put in place when granting media access to treatment areas, including installation of privacy screens for computer monitors and privacy barriers for patients who have not signed an authorization.

A health care provider’s failure to comply with HIPAA’s privacy rules when granting media access can lead to significant HHS enforcement actions. In 2016, for example, HHS entered a settlement agreement with a New York City area hospital that impermissibly disclosed the PHI of two patients when permitting a television program to be filmed in the hospital. The settlement agreement required the hospital to pay HHS $2.2 million and to adopt a corrective action plan that included two years of HHS monitoring.

Health care providers that permit filming without taking appropriate privacy measures may be televising costly HIPAA compliance failures to a watchful HHS.

If you have any questions regarding HIPAA compliance requirements, please contact a member of our Employee Benefits Group.