November 30, 2018
This Fall, the U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) has entered into a pair of settlements (referred to as “resolution agreements”) with health care providers that, according to OCR, impermissibly disclosed patients’ protected health information (“PHI”) in violation of the Health Insurance Portability and Accountability Act and its related privacy regulations (“HIPAA”). In view of these (and prior, similar) enforcement actions, health care providers should ensure they are taking appropriate steps to protect PHI in disclosures to the media.
Summary of OCR Enforcement Actions Targeting Impermissible Disclosures of PHI to the Media
Allergy Associates of Hartford An individual filed a civil rights complaint with OCR against a physician practice (i.e., a “covered entity” under HPIAA) located in Hartford, Connecticut, based on the individual’s assertion that the practice denied her service because she used a service animal. The individual also contacted a local television station to complain about the incident. According to the settlement agreement between OCR and the practice, when the television station later contacted the practice, to inquire about the incident, a physician at the practice impermissibly disclosed the individual’s PHI to a reporter. In its investigation, OCR learned that the privacy officer for the practice directed the physician not to comment on the incident (i.e., to avoid disclosing any PHI or violating applicable privacy laws). The settlement agreement, entered into November 26, required the practice to pay $125,000 (a “resolution payment,” in OCR terminology) and to comply with certain ongoing, administrative obligations (in the form of a “corrective action plan”) to verify compliance with applicable HIPAA requirements. In the agreement, OCR emphasized that the physician not only failed to comply with HIPAA, but disregarded the privacy officer’s direction not to disclose patient information; this could be interpreted to mean that OCR sanctioned the practice because it did not have adequate safeguards in place to protect against the disclosure. OCR also emphasized that, despite the physician’s conduct, the practice took no disciplinary action against him.
Boston Medical Center / Brigham and Women’s Hospital / Massachusetts General Hospital A month prior to the Allergy Associates of Hartford settlement, OCR entered into a settlement with three Boston-area hospitals that permitted film crews into treatment areas and other areas in their respective facilities where PHI was accessible without first obtaining written authorizations from affected patients. In the case of two of the hospitals, OCR learned of the filming through a newspaper article published in The Boston Globe; OCR discovered the other hospital’s involvement through a posting on the hospital’s own website. The resulting settlement agreement required the hospitals, collectively, to pay $999,000 to OCR and enter into a corrective action plan. Significantly, OCR acknowledged that the hospitals took certain steps to protect patient privacy, though it didn’t specify what steps, nor whether the film crews actually filmed patients and/or had access to PHI in other forms. In any event, however, OCR concluded such steps (whatever they were) did not sufficiently safeguard patients’ PHI so as to obviate the need to obtain the patients’ written authorizations. OCR alluded to guidance published on its website (in the form of a Frequently Asked Question) that indicates, among other things, that
Health care providers cannot invite or allow media personnel, including film crews, into treatment areas of their facilities where patients’ PHI will be accessible . . . or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media.
. . .
In addition, the health care provider must ensure that reasonable safeguards are in place to protect against impermissible disclosures or to limit incidental disclosures of other PHI that may be in the area by for which an authorization has not been obtained.
Here, again, however, OCR does not specify the types of safeguards that would relieve a covered entity of its obligation to obtain a patient’s written authorization prior to disclosing the patients’ PHI to the media.
The settlements noted above are not the only OCR settlements pertaining to media disclosures. In 2016, New York Presbyterian Hospital paid $2.2 million to OCR to settle an incident in which, similar to the Boston hospitals discussed above, the hospital permitted television crews to enter treatment areas and other areas in the hospital to film for the show “NY Med,” despite that it had not obtained written authorizations from patients in those areas. Likewise, in 2013, Shasta Regional Medical Center, in California, paid $275,000 to OCR to settle an incident in which, similar to Allergy Associates of Hartford, the hospital responded to allegations of misconduct – in this case, allegations of billing improprieties made by a watchdog agency, and related interviews given by the subject patient – by releasing a patient’s PHI to the media without the patient’s authorization. In that case, OCR made clear that the patient did not “waive any rights” by disclosing her own PHI in public interviews – that is, the hospital was not relieved of any HIPAA obligations, even though the patient had already voluntarily disclosed her own PHI.
The number and frequency of OCR enforcement actions focused on disclosures of PHI to the media (in particular, two in the last three months) may signal a trend of heightened scrutiny in regard to such disclosures. Health care providers should carefully examine their existing safeguards for handling media disclosures, taking into account the enforcement actions and guidance discussed above, and coordinate with legal counsel to implement appropriate safeguards and to identify and implement additional corrective actions. Likewise, in view of the Allergy Associates breach, health care providers should be mindful that OCR expects covered entities to ensure that all workforce members – including physicians – comply with their obligations to safeguard PHI and to take appropriate disciplinary action against workforce members – again, including physicians – who fail to do so.
This Insight is intended only to provide an overview of the matters addressed herein and does not constitute legal advice. If you have questions regarding a specific arrangement with a physician or other health care provider, please seek appropriate legal counsel.
 See U.S. Department of Health and Human Services Office of Civil Rights (“OCR”), Allergy practice pays $125,000 to settle doctor’s disclosure of patient information to a reporter, November 26, 2018, available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/allergyassoc
iates/index.html (last visited November 28, 2018).
 See OCR, Unauthorized Disclosure of Patients’ Protected Health Information During ABC Television Filming Results in Multiple HIPAA Settlements Totaling $990,000, September 20, 2018, available at https://www.hhs.gov/about/news/2018/09/20/unauthorized-disclosure-patients-protected-health-informatio
n-during-abc-filming.html (last visited November 28, 2018); see also OCR, FAQ: Can health care providers invite or arrange for members of the media, including film crews, to enter treatment areas of their facilities without prior written authorization?, April 18, 2016, available at https://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html (last visited November 28, 2018).
 See OCR, Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital, April 21, 2016, available at https://www.hhs.gov/hipaa/for-professionals/
compliance-enforcement/agreements/new-york-presbyterian-hospital/index.html (last visited November 28, 2018).
 See OCR, HHS requires California medical center to protect patients’ right to privacy, June 13, 2013, available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/srmc/press-release/index.html (last visited November 28, 2018).