Hospitals pay nearly $1 million over ABC television documentary

After allegations that the privacy of patients was compromised by inviting film crews for an ABC television documentary series without first obtaining authorization, three hospitals in Boston have agreed to pay nearly $1 million to settle potential violations. The HHS Office for Civil Rights (OCR) has reached separate settlements with Massachusetts General Hospital (MGH), Brigham and Women’s Hospital (BWH), and Boston Medical Center (BMC) for compromising the privacy of patients’ protected health information (PHI) by inviting film crews for an ABC television network documentary series, without first obtaining authorization from patients. Collectively, the three entities paid OCR $999,000 to settle potential violations of the HIPAA Privacy Rule. HHS has also provided specific guidance about the Health Insurance Portability and Accountability Act (P.L. 104-191) and media coverage, including direction that blurring or pixilation is insufficient to protect patient privacy (Resolution Agreement, August 3, 2018; Resolution Agreement, September 6, 2018; Resolution Agreement, September 6, 2018).

Settlements 

To resolve potential HIPAA violations, MCH agreed to pay $515,000, BWH agreed to pay $384,000, and BMC agreed to pay $100,000. Each entity also agreed to provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media. HHS initiated the investigation of BWH based on information in a Boston Globe newspaper article that indicated BWH permitted ABC News to film a medical documentary program at BWH. HHS also initiated of an investigation of MGH based on a news story posted to MGH’s website indicating that ABC News would be filming a medical documentary program at MCH.

This is the second HIPAA case involving an ABC medical documentary television series. In 2016, New York-Presbyterian Hospital entered into a settlement in association with the filming of “NY Med.” “Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Guidance on media coverage

HHS reaffirmed that health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible. This includes any written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients. Using techniques such as blurring, pixelation, or voice alteration software for whom an authorization was not obtained is insufficient.

Only in very limited circumstances does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual. For example, a covered entity may seek to have the media help identify or locate the family of an unidentified and incapacitated patient in its care. The HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public, which may include public waiting areas or areas where the public enters or exits the facility. A health care provider may also utilize the services of a contract film crew to produce training videos or public relations materials on the provider’s behalf if certain protections are in place.

Kusserow on Compliance: OCR enforcement update at the HCCA Compliance Institute

“OCR Enforcement Update” was the topic of the presentation by Iliana Peters, HHS Office for Civil Rights (OCR) Senior Adviser for HIPAA Compliance and Enforcement at the Health Care Compliance Association (HCCA) Compliance Institute. She provided an update on enforcement, current trends, and breach reporting statistics.  Peters stated that the OCR continues to receive and resolve complaints of Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191)  violations of an increasing number.  She cited that OCR has received 150,507 complaints to date, with 24,879 being resolved with corrective action measures or technical assistance.  At the rate of reports being received, the OCR is estimating receiving 17,000 complaints in 2017.  She said that this year OCR has placed a major priority on privacy issues and will be issuing guidance on this, ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment. She spoke about OCR’s Phase 2 audits that are underway, involving 166 covered entities (CEs) and 43 business associates (BAs). These audits are to ensure CEs’ and BAs’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules that include mobile device compliance.  They address privacy, security, and breach notification audits. It is expected that among the results of this effort will be increases in  monetary penalties this year.  Phase 3 will follow the same general approach currently being used, which includes review of control rules for privacy protection, breach notification, and security management.

In her comments about what the OCR has learned from its audits and investigations, Peters made the point that most HIPAA breaches still commonly occur as a result of poor controls over systems containing protected health information (PHI). A particular vulnerability has been mobile devices, such as laptops computers, that failed to be properly protected with encryption and password.

OCR advice

 Peters provided in her slide presentation considerable advice as what CEs and BAs should do to prevent breaches and other HIPAA-related problems. CEs and BAs should:

  • ensure that changes in systems are updated or patched for HIPAA security;
  • determine what safeguards are in place;
  • review OCR guidance on ransomware and cloud computing;
  • conduct accurate and through assessments of potential PHI vulnerabilities;
  • review for proliferation of electronic PHI (ePHI) within an organization;
  • implement policies and procedures regarding appropriate access to ePHI;
  • establish controls to guard against unauthorized access;
  • implement policies concerning secure disposal of PHI and ePHI;
  • ensure disposal procedures for electronic devices or clearing, purging, or destruction;
  • screen appropriately everyone in the work area against the OIG’s List of Excluded Individuals and Entities (LEIE);
  • ensure departing employees’ access to PHI is revoked;
  • identify all ePHI created, maintained, received or transmitted by the organization;
  • review controls for PHI involving electronic health records (EHRs), billing systems, documents/spreadsheets, database systems, and all servers (web, fax, backup, Cloud, email, texting, etc.);
  • ensure security measures are sufficient to reduce risks and vulnerabilities;
  • investigate/resolve breaches or potential breaches identified in audits, evaluations, or reviews;
  • verify that corrective action measures were taken and controls are being followed;
  • ensure when transmitting ePHI that the information is encrypted;
  • ensure explicit policies and procedures for all controls implemented; and
  • review system patches, router and software, and anti-virus and malware software.

Expert tips to meet HIPAA compliance requirements

Carrie Kusserow, MA, CHC, CHPC, CCEP, is a HIPAA expert with over 20 years of compliance officer and consultant experience. She pointed out that the OCR finds that most HIPAA breaches still commonly occur as a result of poor or lapsed controls over systems with PHI.  She noted that Iliana Peters stated that the OCR often encounters situations where established internal controls were not followed; in many cases, discoveries of breaches within organizations were not promptly investigated.  Also, most of the breaches currently being reported involve mobile devices, specifically laptop computers, and a failure to properly encrypt and password protect PHI. Kusserow offered additional tips and suggestions to those offered in the OCR presentation, particularly as it relates to mobile devices.

  • Conduct a complete security risk analysis that addresses ePHI vulnerabilities.
  • Ensure the Code of Conduct covers reporting of HIPAA violations.
  • Validate effectiveness of internal controls, policies, and procedures.
  • Maintain an up-to-date list of BAs that includes contact information.
  • Ensure identified risks have been properly addressed with corrective action measures.
  • Develop corrective action plans to promptly address any weaknesses or breaches identified.
  • Follow the basics in prevention of information security risks and PHI breaches.
  • Ensure policies/procedures  govern receipt and removal of laptops containing ePHI.
  • Verify workforce member and user controls for gaining access to ePHI.
  • Verify laptops and other mobile devices are properly encrypted and password protected.
  • Implement safeguards to restrict access to unauthorized users.
  • Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
  • Ensure the hotline is set up to receive HIPAA-related calls.
  • Verify that all BAs have signed business associate agreements.
  • Train the workforce on HIPAA policies/procedures, including reporting violations.
  • Investigate complaints, allegations, and reports of non-compliance promptly and thoroughly.
  • Engage outside experts to independently verify controls are adequate and being followed.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Covered entities should report cybersecurity threats, but no PHI disclosures

Cyber threats are becoming more and more common, both in general and specifically in the health sphere. The Department of Homeland Security operates the National Cybersecurity and Communications Integration Center (NCCIC), with four branches dedicated to protecting the right to privacy in the government, private sector, and international defense network communities. The US Computer Emergency Readiness Team (US-CERT) develops information on immediate threats and analyzes data gleaned from cybersecurity incidents.

As part of these efforts, health entities can report any suspicious activity or cybersecurity incidents to US-CERT. Disclosing cyber threat indicators, which includes information such as malicious reconnaissance, security vulnerabilities, methods of defeating controls or exploiting vulnerabilities, is intended to alert other entities of possible issues. This type of information sharing allows the federal government to better protect information systems, and maintain current alerts and reports on vulnerabilities on the US-CERT site.

HIPAA concerns

HHS recently clarified that entities subject to the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) may not disclose protected health information (PHI) for the purpose of sharing cyber threat indicators. This also applies to business associates. PHI may only be released under these circumstances if the disclosure is permitted under the Privacy Rule.

HHS noted that PHI is generally not included in cyber threat indicators, so prohibiting PHI disclosure in cyber threat reporting will typically not be an issue. Under the Privacy Rule, an entity could disclose PHI to law enforcement without the individual’s written authorization in order to comply with a court order or to alert and inform law enforcement as necessary regarding criminal activity. In some instances, an entity may report limited PHI. Entities may disclose to federal officials authorized to conduct national security activities or to protect the President. In all other circumstances that are not expressly included and permitted in the Privacy Rule, the entities must obtain authorization from the individual whose PHI is to be disclosed.

HIPAA lets docs share info with non-related loved ones

The Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Privacy Rule permits covered entities (CEs) to disclose information to non-family members of a patient when that information relates to the non-family member’s care of or payment for health care of the patient, but it also allows CEs to notify a non-family member of the patient’s location, general condition, or death.  The HHS Office for Civil Rights (OCR) issued an FAQ discussing these issues in response to the 2016 Pulse Nightclub shootings in Orlando, when confusion arose over hospitals’ ability to discuss patients’ conditions with their partners. In an emailed press release, the OCR noted, “the FAQ makes clear that the potential recipients of information under the relevant permissive disclosure provisions . . . are not limited by the sex or gender identity of the person.”

45 C.F.R. section 164.510(b)(1) states that CEs may disclose protected health information (PHI) relevant to a person’s involvement with a patient’s care or payment for the patient’s care, to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual.” It further permits a CE to share PHI “to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death.” When a patient is unable to give verbal permission regarding the disclosure of PHI to specific people, the OCR stated that the Privacy Rule defers to the CE’s professional judgment without requiring it to verify the relationship between the person receiving the disclosure and the patient.

The OCR also discussed required disclosures in relationship to the rights of same-sex spouses, and issued additional guidance regarding same-sex spouses’ rights. Pursuant to the U.S. Supreme Court decision in Obergefell v. Hodges, states must permit same-sex marriages and recognize lawful same-sex marriages performed in other states. The guidance reminds CEs that the term “marriage” refers to all lawful marriages, the term “spouse” refers to all lawfully married spouses, and the term “family member”  includes both the lawful spouses and the dependents of all lawful marriages.   The Privacy Rule regards persons authorized under state or other applicable law to act on behalf of the individual in making health care related decisions as the individual’s “personal representative.” 45 C.F.R. section 164.502(g) provides when, and to what extent, the personal representative must be treated as the individual. Therefore, if a state grants legally married spouses the authority to make health care related decisions on each other’s behalf, the spouses are personal representatives and CEs must provide them with access to medical records.