Summary

During the week of April 18, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two significant settlements with a large New York City hospital and a North Carolina orthopaedic practice relating to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  

New York Presbyterian Hospital (NYP) agreed to pay $2.2 million due to the disclosure of protected health information (PHI) during the filming of a television show in the hospital.  

The Raleigh Orthopaedic Clinic (ROC), a North Carolina orthopedic practice, agreed to pay $750,000 relating to allegations that ROC transferred PHI to a business partner without first executing a business associate agreement (BAA).  

To date in 2016, OCR has publically announced six settlements relating to HIPAA, and the total dollars paid by the entities involved in these settlements is in excess of $8.6 million.   

These two most recent settlements reiterated OCR’s active enforcement of HIPAA and the necessity of covered entities and business associates maintaining a comprehensive HIPAA compliance program.

NYP Settlement
OCR’s investigation of NYP arose from a complaint OCR received against NYP.  The complaint alleged that NYP impermissibly disclosed PHI to a film crew for a television show being filmed in the hospital.  After investigation, OCR determined that NYP impermissibly disclosed the PHI of two patients to the television show’s crew.  According to the press release announcing the settlement, NYP allowed the crew to film someone who was dying and another person in significant distress.  Further, according to the Resolution Agreement, NYP failed to implement policies, procedures and practices to protect its patients’ PHI during the filming of the show.

As a condition of the settlement, NYP entered into a Corrective Action Plan (CAP) with OCR.  According to the CAP, NYP is required to do the following:

• Develop, maintain and revise its policies and procedures to comply with the HIPAA Privacy and Security Rules.  The policies and procedures must include the following:
  • A prohibition on the disclosure of PHI for photography or video recording without the prior authorization of the patient;
  • A process for evaluating and approving authorizations for the disclosure of PHI;
  • A requirement that all photography and video recording on NYP’s premises be actively monitored by NYP representatives for HIPAA compliance;
  • Measures to investigate possible violations of the HIPAA policies and procedures and application of appropriate sanctions against workforce members who fail to comply with these policies and procedures.
• Once approved, distribute the new and revised policies to all workforce members.  NYP is also to train all workforce members on the policies and procedures.
• Submit a series of two reports to OCR with respect to NYP’s compliance with the CAP.  The first report is due within 90 days of OCR’s approval of NYP’s HIPAA policies and procedures and is to summarize the status of its implementation of the CAP requirements.  The second report is due within 60 days after the expiration of the CAP and is to include NYP’s status of and findings regarding NYP’s compliance with the CAP.

The NYP Resolution Agreement, CAP and press release are available here. 

ROC Settlement
OCR’s investigation of ROC originated from an April 30, 2013 breach report.  According to the Resolution Agreement between OCR and ROC, the breach report stated that ROC transferred x-ray films containing PHI for approximately 17,300 patients to a vendor for the vendor to harvest silver from the films.  In exchange, the vendor was to transfer the x-rays into electronic media.  ROC failed to execute a BAA with the vendor prior to transferring the films.

In addition to the $750,000 payment, ROC entered into a CAP with OCR.  According to the CAP, ROC is required to do the following:

• Revise its policies and procedures with respect to BAAs to: (i) designate one or more individuals who are responsible for ensuring that ROC enters into BAAs with business associates; (ii) create a process to assess whether any current or future ROC business relationship is a “business associate” relationship; (iii) create a process for negotiating and entering into BAAs prior to disclosing PHI; (iv) create a template BAA; (v) create a process for maintaining documentation of a BAA for at least six years; (vi) limit disclosures of PHI to business associates to the minimum necessary.
• Create training materials for the revised BAA materials.  Once the materials are approved by the OCR, ROC will conduct workforce training.
• Submit annual reports for the two-year period of the CAP with respect to ROC’s compliance with the CAP.

The ROC Resolution Agreement, CAP and press release are accessible here.

Conclusion
The OCR has already been very active in HIPAA enforcement activities in 2016.  Saul Ewing has monitored and written about these HIPAA settlements, which may be found here: 
Improper Disclosure of Research Information Results in $3.9 Million Settlement
Seven-Figure Settlement Reinforces Necessity of Business Associate Agreements
Six-Figure January HIPAA Enforcement Activities Highlight Importance of Maintaining Privacy Protections 

It is critical that covered entities and business associates implement and maintain comprehensive HIPAA compliance programs that address every aspect of the HIPAA Privacy, Security and Breach Notification Rules. Failure to do so can have costly consequences from a financial perspective and with respect to implementing and abiding by a resolution agreement with OCR.