An April 22 article in Law360, "3 Takeaways From The Recent HIPAA Enforcement Blitz," discusses the recent enforcement actions by the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) against four healthcare providers for allegedly failing to comply with HIPAA, and OCR's upcoming "Phase 2" audits of providers. OCR's Phase 2 audits have been discussed frequently on this blog, most recently here.
The most recent enforcement action, announced by HHS on April 21, involved New York-Presbyterian Hospital (NYP) allowing a television film crew to film patients without obtaining their authorization. NYP will pay a $2.2 million settlement and agreed to a corrective action plan.
Day Pitney's Eric Fader was quoted extensively in the Law360 article. "Having made an example out of so many different providers with so many different types of violations in recent years, it was only a matter of time before OCR started running out of patience and ramping up its enforcement and fines," Eric observed. "And I think that's what we're seeing so far this year."
The Law360 article points out that two of OCR's most recent enforcement actions involve allegations that a healthcare provider did not have an appropriate business associate agreement (BAA) in place. The Phase 2 audits will include business associates, as well as covered entities, and OCR is expected to check whether all required BAAs have been executed. "Anyone who doesn't have a business associate agreement at this point is working on borrowed time," Eric warned. "In the new round of audits, OCR will certainly be looking to confirm that business associate agreements are in place. So everyone, regardless of whether they're a covered entity or a business associate, needs to be aware of how HIPAA applies to them and the ways that they can get into trouble, especially because OCR has set an example with these two recent enforcement actions."
The NYP settlement continues OCR's recent practice of publicizing enforcement actions involving different and sometimes unique fact situations, presumably with the dual goals of demonstrating to providers the breadth of HIPAA's restrictions while grabbing people's interest each time. Eric pointed out that just as the allure of the TV series may have made the hospital's analysis of its HIPAA obligations more difficult, "that same mentality is what made this a no-brainer for OCR to use this case to catch people's attention and make an example."
To make its point perfectly clear, HHS also uploaded to its website a one-question FAQ which advises:
"Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients' PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances . . . does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.