Four hospitals – Boston Medical Center, Brigham and Women’s Hospital, Massachusetts General (both teaching hospitals affiliated with the Harvard Medical School), and New York Presbyterian – have been fined by HHS’ Office of Civil Rights (OCR) for breaches of patient privacy. The takeaway here is that under HIPAA, protected health information extends to photos and films of patients, and permission has to be sought to obtain and make use of either of them.
What, Exactly, Was The Violation?
The violation in each case was allowing film crews from TV shows to film patients and their treatment without first obtaining permission. The total of fines for the four hospitals was $3, 199,000, an average of $799,750 per incident. That’s a chunk of change for even a major teaching hospital.
The first three hospitals listed above said that allowing the filming was not a violation of protected health information (PHI) and that patient consent had been obtained and that they were not liable for any fine. The OCR disagreed and decided that films and photos of patient treatment were, in fact, PHI and that the same HIPAA laws and regulations that cover data breaches applied here. This establishes a precedent that OCR can follow in the future.
Of course, healthcare organizations are proud of the services they provide, and the knee-jerk response of the public relations department will, of course, be to invite the media in when there is something to celebrate. Photos of treatment, films of procedures, and interviews with patients naturally follow. The lesson from the OCR decisions in the cases of these four hospitals is that it’s perfectly okay to do this, provided appropriate patient consent is obtained first.
OCR does not provide a standard form for permission to film or photograph. That will have to be developed by the hospital’s legal department, which should craft the consent, not only with HIPAA in mind but also any applicable state laws covering health care or privacy.
What About Digital Media?
The situation gets more complex if the films or photos are taken or stored using digital media, and that will very often be the case. Once this is done, all of the regulations and laws covering PHI in digital form apply. This gives OCR an opening to expand the fines to cover a double violation, even if the violation(s) stems from the same single incident.
It is worth noting that three of the four hospitals involved made the defense that they had, in fact, obtained patient consent. OCR apparently found that whatever form was used did not meet the HIPAA standards for consent. It should also be noted that under HIPAA, there is a difference between “authorization” and “consent.”
What Is Consent? What’s Authorization?
Authorization is more formal and must involve a signed document. The advice from the legal department is likely to be that there are ambiguities surrounding consent that are not present in the definition of authorization, and that obtaining authorization is always the safer course.
Just as providers have the motto that “if it’s not in the chart, it didn’t happen,” the posture of health care organizations should be “if we don’t have a signed form, consent was not given.” In particular, mere verbal consent is never a sufficient defense—it’s not worth the paper it isn’t printed on. The Privacy Rights Clearinghouse provides a good summary of consent versus authorization at How Can Covered Entities Use and Disclose PHI. Remember, in three of the cases discussed above, whatever the hospitals thought was consent was a violation in the eyes of the OCR.
“Health care operations” are generally, but not exclusively, exempt from HIPAA. “Health care operations” is somewhat ambiguous. Generally, the term refers to the activities that healthcare providers regularly engage in to keep the organization in operation – credentialing, billing, accounting, data operations (except handling of PHI) are generally HIPAA exempt.
But there are no necessary parallels between HIPAA and state laws, and “healthcare operations” that are perfectly exempt from HIPAA. Plus, these may be covered by privacy rights under state laws. Again, your legal department is the best authority on this, and if state laws differ from HIPAA, it makes sense for one form to cover both the required federal and state consents. A complete list of the activities covered by the term may be found at 45 Code of Federal Regulations 164.50.
What’s The Takeaway?
The chief takeaway from these four incidents is that common sense, or what appears to be common sense, does not govern here; the law and regulations do. Having good legal advice in any case where there is ambiguity is a good idea. If you are uncertain about what “covered activity” means, then consult your lawyers. You’re paying good money for legal counsel so make use of them.