During the week of April 18, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two significant settlements with a large New York City hospital and a North Carolina orthopaedic practice relating to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
New York Presbyterian Hospital (NYP) agreed to pay $2.2 million due to the disclosure of protected health information (PHI) during the filming of a television show in the hospital.
The Raleigh Orthopaedic Clinic (ROC), a North Carolina orthopedic practice, agreed to pay $750,000 relating to allegations that ROC transferred PHI to a business partner without first executing a business associate agreement (BAA).
To date in 2016, OCR has publically announced six settlements relating to HIPAA, and the total dollars paid by the entities involved in these settlements is in excess of $8.6 million.
These two most recent settlements reiterated OCR’s active enforcement of HIPAA and the necessity of covered entities and business associates maintaining a comprehensive HIPAA compliance program.
OCR’s investigation of NYP arose from a complaint OCR received against NYP. The complaint alleged that NYP impermissibly disclosed PHI to a film crew for a television show being filmed in the hospital. After investigation, OCR determined that NYP impermissibly disclosed the PHI of two patients to the television show’s crew. According to the press release announcing the settlement, NYP allowed the crew to film someone who was dying and another person in significant distress. Further, according to the Resolution Agreement, NYP failed to implement policies, procedures and practices to protect its patients’ PHI during the filming of the show.
As a condition of the settlement, NYP entered into a Corrective Action Plan (CAP) with OCR. According to the CAP, NYP is required to do the following:
The NYP Resolution Agreement, CAP and press release are available here.
OCR’s investigation of ROC originated from an April 30, 2013 breach report. According to the Resolution Agreement between OCR and ROC, the breach report stated that ROC transferred x-ray films containing PHI for approximately 17,300 patients to a vendor for the vendor to harvest silver from the films. In exchange, the vendor was to transfer the x-rays into electronic media. ROC failed to execute a BAA with the vendor prior to transferring the films.
In addition to the $750,000 payment, ROC entered into a CAP with OCR. According to the CAP, ROC is required to do the following:
The ROC Resolution Agreement, CAP and press release are accessible here.
The OCR has already been very active in HIPAA enforcement activities in 2016. Saul Ewing has monitored and written about these HIPAA settlements, which may be found here:
Improper Disclosure of Research Information Results in $3.9 Million Settlement
Seven-Figure Settlement Reinforces Necessity of Business Associate Agreements
Six-Figure January HIPAA Enforcement Activities Highlight Importance of Maintaining Privacy Protections
It is critical that covered entities and business associates implement and maintain comprehensive HIPAA compliance programs that address every aspect of the HIPAA Privacy, Security and Breach Notification Rules. Failure to do so can have costly consequences from a financial perspective and with respect to implementing and abiding by a resolution agreement with OCR.