Hospitals pay nearly $1 million over ABC television documentary

After allegations that the privacy of patients was compromised by inviting film crews for an ABC television documentary series without first obtaining authorization, three hospitals in Boston have agreed to pay nearly $1 million to settle potential violations. The HHS Office for Civil Rights (OCR) has reached separate settlements with Massachusetts General Hospital (MGH), Brigham and Women’s Hospital (BWH), and Boston Medical Center (BMC) for compromising the privacy of patients’ protected health information (PHI) by inviting film crews for an ABC television network documentary series, without first obtaining authorization from patients. Collectively, the three entities paid OCR $999,000 to settle potential violations of the HIPAA Privacy Rule. HHS has also provided specific guidance about the Health Insurance Portability and Accountability Act (P.L. 104-191) and media coverage, including direction that blurring or pixilation is insufficient to protect patient privacy (Resolution Agreement, August 3, 2018; Resolution Agreement, September 6, 2018; Resolution Agreement, September 6, 2018).

Settlements 

To resolve potential HIPAA violations, MCH agreed to pay $515,000, BWH agreed to pay $384,000, and BMC agreed to pay $100,000. Each entity also agreed to provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media. HHS initiated the investigation of BWH based on information in a Boston Globe newspaper article that indicated BWH permitted ABC News to film a medical documentary program at BWH. HHS also initiated of an investigation of MGH based on a news story posted to MGH’s website indicating that ABC News would be filming a medical documentary program at MCH.

This is the second HIPAA case involving an ABC medical documentary television series. In 2016, New York-Presbyterian Hospital entered into a settlement in association with the filming of “NY Med.” “Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Guidance on media coverage

HHS reaffirmed that health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible. This includes any written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients. Using techniques such as blurring, pixelation, or voice alteration software for whom an authorization was not obtained is insufficient.

Only in very limited circumstances does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual. For example, a covered entity may seek to have the media help identify or locate the family of an unidentified and incapacitated patient in its care. The HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public, which may include public waiting areas or areas where the public enters or exits the facility. A health care provider may also utilize the services of a contract film crew to produce training videos or public relations materials on the provider’s behalf if certain protections are in place.

Kusserow on Compliance: Recap of the OCR’s 2017 HIPAA enforcement

The HHS Office for Civil Rights (OCR) HIPAA Privacy Rule enforcement has been steadily increasing since it began the effort in 2003. Over the years, OCR has received over 175,000 HIPAA complaints and initiated nearly 1,000 compliance reviews. OCR investigations have resolved nearly 30,000 cases by requiring changes in privacy practices, taking corrective actions, or providing technical assistance to HIPAA covered entities and their business associates. OCR has been enforcing the HIPAA Rules where an investigation indicates noncompliance by the covered entity or their business associate. OCR investigations have ranged widely and included national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices. To date, OCR has settled or imposed a civil money penalty in about 60 cases resulting in a total dollar amount of about $75,000,000. The average of enforcement penalties has been about $1.5 million per case. In another 12,000 cases, no violations were found. In another 25,000 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation. In the balance of over 100,000 cases, OCR determined that the complaint did not present an eligible case for enforcement, because of lack of jurisdiction; complaints were untimely or withdrawn by the filer; or the activity described didn’t violate HIPAA;

 

Cases that OCR closes fall into five categories:

 

  1. Resolved without investigation. OCR closes these cases after determining that OCR lacks jurisdiction, or that the complaint, referral, breach report, news report, or other instigating event will not be investigated. These include situations where the organization is not a covered entity or business associate and/or no protected health information (PHI) is involved; the behavior does not implicate the HIPAA Rules; the complainant refuses to provide consent for his/her information to be disclosed as part of the investigation; or OCR otherwise decides not to investigate the allegations.

 

  1. Technical assistance only. OCR provides technical assistance to the covered entity, business associate, and complainant through early intervention by investigators located in headquarters or a regional office.

 

  1. Investigation determines no violation. OCR investigates and does not find any violations of the HIPAA rules.

 

  1. Investigation results corrective action obtained. OCR investigates and provides technical assistance to or requires the covered entity or business associate to make changes regarding HIPAA-related privacy and security policies, procedures, training, or safeguards. Corrective action closures include those cases in which OCR enters into a settlement agreement with a covered entity or business associate.

 

  1. Other. OCR may investigate a case if (1) DOJ is investigating the matter; (b) it was as result of a natural disaster; (c) it was investigated, prosecuted, and resolved by state authorities; or (d) the covered entity or business associate has taken adequate steps to comply with the HIPAA Rules, not warranting deploying additional resources.

 

Order of frequency of issues investigated

 

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Use or disclosure of more than the minimum necessary protected health information; and
  • Lack of administrative safeguards of electronic protected health information.

 

Most common types of entities resulting in corrective actions

 

  • General hospitals;
  • Private practices and physicians;
  • Outpatient facilities;
  • Pharmacies; and
  • Health plans (group health plans and health insurance issuers).

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Recommendations for creating compliant security relationships with vendors

Recent regulatory changes have had an impact on what “covered entities” must do to create and maintain a compliant security relationship with their “business associates.” This impact, and how information technology (IT) and compliance departments can interact to improve business associate selection and management, were the topics of a recent Health Care Compliance Association (HCCA) webinar featuring Francois J. Bodhuin, Director, Information Security Officer, and Joseph A. Piccolo, Vice President, Corporate Compliance, at the Inspira Health Network. The presenters also offered a five-step life cycle approach to managing vendor security requirements.

Background

The term “covered entity” is defined in 45 C.F.R. sec. 160.103 as either a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic format. According to the presenters, the HITECH privacy provisions (Title XIII) of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) resulted in the promulgation of the January 25, 2013 Final rule (78 FR 5566), which strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule also expanded the definition of “business associates” (BAs) to include subcontractors/vendors (and written assurance from subcontractors/vendors that they will uphold the security and privacy of protected health information (PHI)), increased reporting requirements, and enhanced penalties (see HIPAA final rule modifies Privacy, Security, and Enforcement Rules and establishes direct liability for business associates that violate certain rules, Health Law Daily, January 25, 2013).

Enforcement themes and challenges

The presenters noted several themes present in recent government enforcement actions, including accusations of inadequate risk assessment plans, outdated vendor agreements, the lack of risk analysis, and inadequate oversight (lack of communication). The presenters also laid out several new logistical challenges, including (1) insuring that vendor agreements are current (and incorporate the 2013 rule changes); (2) the need to educate board members, employees, and vendors; and (3) the monitoring of vendor agreements.

Interaction of IT and compliance

The presenters stressed the need for IT and compliance to jointly develop a process that makes use of (1) HHS Office of Civil Rights (OCR) guidance, audit criteria, and recent settlements; and (2) that sets guidelines for vendors, including a vendor code of conduct, specific policies and procedures for vendors, and vendor education requirements.

The presenters see the IT role as performing annual security assessments, frequent vulnerability scans, and the integration of risk analysis. In addition, in support of compliance, they believe that IT must: (1) be represented on the compliance committee; (2) have software that tracks vendors; (3) develop security questionnaires; and (4) evaluate the security programs of vendors.

Compliance, according to the presenters, must support IT by: (1) being a conduit for communication in understanding vendor relationships; (2) collaborating with IT on new and unique projects; (3) educating the board on the compliance/IT partnership; (4) developing and updating policies; and (5) including audits as part of the annual work plan.

Collaborative management of vendors

The presenters recommend language in vendor agreements that will allow for the covered entity to conduct a survey or questionnaire of the vendor. They suggest that the questionnaire incorporate the organizational values of the covered entity, not just government requirements. The questionnaire should be required of both new and existing vendors.

The presenters also recommend that the covered entity create an oversight group to review vendor responses, extrapolate risk levels, review actions taken with the vendor, tweak questionnaires, and report results to executives though the compliance committee.

Five-step approach

The presenters concluded by describing their five-step life cycle approach to managing vendor security requirements. Their approach centers on the following elements: (1) patient satisfaction; (2) quality outcomes; (3) electronic data security; (4) patient engagement/population management; and (5) stewardship and reputation.

Trump Administration appoints controversial figure to HHS’ anti-discrimination office

The Trump Administration appointed Roger Severino as Director of the HHS Office for Civil Rights (OCR). Previously, Severino worked for the Heritage Foundation as the director of the DeVos Center for Religion and Civil Society in the Institute for Family, Community, and Opportunity. Prior to his work with the Heritage foundation, he was a trial attorney in the Department of Justice’s Civil Rights Division. Severino was also the Chief Operations Officer and Legal Counsel for the Becket Fund for Religious Liberty.

OCR 

The OCR enforces federal laws designed to prohibit discriminatory practices in health care by providers who receive HHS funds. The OCR also protects the privacy and security of health information through its investigatory and enforcement actions related to the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

Opposition

Senator Patty Murray (D-Wash) spoke out in opposition to the Trump Administration’s appointment, calling it an “appalling hire.” Murray criticized Severino’s work with the Heritage foundation and the Becket Fund, where he “fought against transgender equality in health care, against the separation of church and state, and in support of defunding Planned Parenthood.” Severino has previously worked to oppose the OCR’s implementation of Section 1557 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148)—a law which prohibits discrimination in health care on the basis of race, color, national origin, sex, age, or disability.