Lights, Camera …. No Unauthorized Disclosure! Taking “Action” to Protect Patient Privacy When the Media Appear
In April 2011, Mark Chanko died at New York-Presbyterian hospital (NYP) after being hit by a truck. While Chanko was receiving emergency treatment, a film crew from a major television network was onsite at the hospital, with its knowledge and permission, filming the medical documentary series N.Y .Med.
The crew filmed Chanko’s treatment, the doctor declaring him dead, and the doctor informing the family of his death, all without Chanko’s or the family’s consent – or even their knowledge.
Sixteen months after Chanko’s death, while watching an episode of N.Y. Med
, Chanko’s wife “recognized the scene, heard decedent’s voice asking about her, saw him on a stretcher, heard him moaning, and watched him die.”
This was the first time she, and other family members, became aware that his treatment had been recorded.
Chanko’s widow and family members brought a civil lawsuit, which is proceeding against the hospital and treating physician for breach of doctor/patient confidentiality. 
However, that is not the limit of the hospital’s troubles. DHHS’s Office for Civil Rights (OCR) also investigated the hospital – a HIPAA covered entity – for alleged violations of the HIPAA Privacy Rule.
On April 21, 2016, OCR announced its $2.2M settlement
with NYP. The agency’s investigation revealed that the hospital had impermissibly disclosed two patients’ protected health information (PHI) to the film crew and other media staff, failed to reasonably and appropriately safeguard the patients’ PHI from disclosure during filming, and failed to implement policies, procedures, and practices to protect the privacy of the patients’ PHI during filming, all in violation of the Privacy Rule.
The hospital agreed to pay a $2.2M resolution amount and enter into a corrective action plan (CAP), to settle the investigation.
The CAP required the hospital to develop, distribute, and update policies and procedures including:
A specific prohibition on the use or disclosure of PHI to any person or entity planning, coordinating or engaging in photography, video recording, or audio recording other than for purposes related to providing medical care without the individual’s prior authorization;
A process for evaluating and approving authorizations requesting the disclosure of PHI by NYP;
Identification of NYP personnel or representatives whom workforce members, agents, or business associates may contact in the event of any inquiry or concern regarding compliance with HIPAA in relation to these activities;
A requirement that all photography, video recording and audio recording conducted on NYP premises be actively monitored by appropriate NYP representatives for compliance with the Privacy Rule and NYP’s policies;
Measures that address the following Privacy Rule provisions: uses and disclosures of PHI (45 CFR 164.502(a)); safeguards (45 CFR 164.530(c)(1)); authorizations (45 CFR 164.508(a)); training (45 CFR 164.530(b)(1)); and internal reporting procedures mandating that workforce members report policy/procedure violations to the hospital’s Privacy Officer as soon as possible;
Measures providing that upon receiving information that a member of its workforce may have violated these policies and procedures, NYP shall promptly investigate and address the violation in an appropriate and timely manner; and
Application of appropriate sanctions (which may include re-training or other instructive corrective action, depending on the circumstances) against members of NYP’s workforce, including supervisors and managers, who fail to comply with the NYP Policies and Procedures.
The CAP also included workforce training requirements, a two-year monitoring period, and accelerated notice to OCR of HIPAA Rule violations.
Commenting on the settlement, OCR Director Jocelyn Samuels emphasized: “This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization. We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”
OCR’s Media FAQ
While most CEs and BAs will not experience a television drama filming on their premises, news media do
come calling. OCR has published a film and media guide
to assist HIPAA-covered providers in fulfilling their obligations to patient privacy. As a general rule, CEs and BAs cannot disclose PHI to the media without the individual’s (patient) prior authorization. As the guide makes clear:
Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances, as set forth below, does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.
It is not enough to ask or require media to mask patients’ identities (e.g., pixilation, voice alteration) because the media may not have un-authorized access to patients in the first place. Providers must also take care to institute reasonable safeguards to limit incidental disclosures of PHI.
Under carefully circumscribed circumstances, a covered entity may disclose limited PHI to the media without the patient’s prior authorization. For example, a health care provider may seek media assistance in locating family of an unidentified, incapacitated patient if doing so is in the patient’s best interest (45 CFR 164.510(b)(1)(ii)). The Privacy Rule does not require providers to deny media access to areas of the facility generally accessible to the public.
Providers may engage contract film crews for their own legitimate business purposes, such as producing training videos. However the provider must enter into a business associate agreement with the crew if the provider will be disclosing PHI to allow the crew to perform services on the provider’s behalf, such as interviewing patients. A HIPAA-compliant BAA will obligate the film crew to comply with the Security Rule and many provisions of the Privacy Rule, and thus to appropriately safeguard the PHI.
Patient authorization is required if any of the materials containing PHI will be publicly disseminated.
For more information about health care privacy, HIPAA violations, and data security, contact Kim Metzger
or a member of our Data Security and Privacy Practice
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 Chanko, et al. v. American Broadcasting Companies, Inc., et al.,
2016 WL 1247664 (N.Y. Ct. App. March 31, 2016).
Plaintiffs brought a lawsuit against the hospital, the treating physician, the television station, and others. The defendants moved to dismiss the complaint, and the New York Supreme Court partially granted the motions, dismissing all causes of action except breach of physician-patient confidentiality against the hospital and treating physician, and intentional infliction of emotional distress against the station, the hospital, and the treating physician. The defendants separately appealed the order insofar as the motions to dismiss were denied. Plaintiffs did not cross-appeal. The state’s Appellate Division modified Supreme Court's order by reversing the portions of the order that were appealed, granted the motions in their entirety and dismissed the entire complaint. That Court granted plaintiffs leave to appeal.
The appellate court modified the Appellate Division’s order, denying the hospital’s and treating physician’s motion to dismiss the breach of confidentiality claim and otherwise affirming. Id
. As to the intentional infliction of emotional distress claim, the court noted that one of the elements of the tort under New York law is “extreme and outrageous conduct.” This requirement is “rigorous, and difficult to satisfy.” Here, the court determined that while broadcasting an individual’s last moments of life without consent “would likely be considered reprehensible by most people” and the court does not condone it, “it was not so extreme and outrageous as to satisfy [the] exceedingly high legal standard.” The footage aired footage “was edited so that it did not include decedent's name, his image was blurred, and the episode included less than three minutes devoted to decedent and his circumstances.” As compared with other conduct the state appellate courts concluded was not sufficiently “extreme and outrageous” to satisfy the elements of the tort, the Chanko
court determined that the defendants’ conduct in allowing the “brief, edited segment” to be broadcast did not support a cause of action for intentional infliction of emotional distress. Id
Under the terms of the Settlement Agreement, the hospital did not admit liability, and OCR did not concede that the hospital did not violate the Privacy Rule.
An incidental disclosure is secondary to a permitted disclosure, limited in nature, that cannot reasonably be prevented (45 CFR 164.502(a)(1)(iii)). Reasonable safeguards to limit incidental disclosures will vary with such things as the entity’s size and the nature of its business.