Authorization Timing Key Factor in Recent HIPAA Violations

All entities covered under the Health Insurance Portability and Accountability Act (HIPAA) know that shielding protected health information from potential unauthorized disclosure needs to be a priority.

Similarly, it is widely understood that obtaining written authorization from a patient can provide at least some level of protection against potential HIPAA fines.  However, the Department of Health and Human Services, Office of Civil Rights (OCR) just issued a reminder that it’s not only obtaining written authorizations that is important; Covered Entities also need to make sure they obtain authorizations in a timely manner.

Recently, three Massachusetts hospitals entered into settlements with the OCR for potential violations of the HIPAA Privacy Rule.  The three hospitals, Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH), allowed crews to film a medical documentary television series for ABC.  Even though two of the hospitals, BWH and MGH, provided HIPAA privacy training to the film crew and obtained written patient authorizations, OCR still concluded that the hospitals compromised the protected health information of patients because the written authorizations were obtained too late (i.e., after filming began).

To settle the potential HIPAA violations, each hospital agreed to adopt individual corrective action plans and to provide HIPAA training to its employees, and collectively, the three hospitals agreed to pay $999,000 to OCR.  BMC paid $100,000, BWH paid $384,000, and MGH paid $515,000.

This is not the first time OCR has settled a HIPAA case involving the filming of a documentary on a health care provider’s premises, and it likely will not be the last.  So, what should health care providers do if they wish to allow film crews or other media personnel into areas where protected health information is accessible?  In its FAQs, OCR has provided guidance stating that health care providers must obtain prior written authorization from each individual whose protected health information will be accessible and/or from each individual who will be in the area.  Masking the identities of individuals who do not provide the required prior written authorization is insufficient for HIPAA purposes.  Further, health care providers should adopt appropriate safeguards to prevent any impermissible or incidental disclosures.

According to the OCR guidance, there are very limited circumstances where a health care provider can disclose protected health information to the media without a prior written authorization. One such example includes a patient who is incapacitated and unidentifiable.  In such a situation, a health care provider may disclose limited protected health information in order to obtain the media’s help in identifying the individual if, and only if, the health care provider deems it to be in the patient’s best interest.  It is important to keep in mind that this is an exception to the general rule, so if health care providers want to avoid paying thousands of dollars to settle potential HIPAA violations, adopting reasonable safeguards and obtaining written authorization from each individual before protected health information is disclosed is a must.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2018 Harter Secrest & Emery LLP