{ Banner Image }

Filming for TV Show Results in HIPAA Violation and $2.2 Million Settlement Paid by New York Presbyterian Hospital

HospitalIt’s not uncommon for “covered entities” such as hospitals and health systems to violate the Privacy Rule under the Health Insurance Portability and Protection Act of 1996 (“HIPAA”). A stolen laptop or misplaced file can expose information that should be protected. Rarely, however, does a violation arise from the filming of a television show. But that’s exactly what happened in the case of New York Presbyterian Hospital (“NYP”), which recently entered into a settlement with the Department of Health and Human Services, Office for Civil Rights (“OCR”) for $2.2 million.

NYP allowed “NY Med,” an ABC television series, to film on-site without first obtaining patient authorization. OCR explained in a news release that NYP allowed the show to film someone who was dying and another in distress, even after being asked to stop by a medical professional. OCR characterized the disclosures as “egregious” and stated that by revealing the patients’ protected health information (PHI), NYP’s actions “blatantly violate the HIPAA Rules.”

OCR also found that NYP failed to safeguard PHI by allowing the film crew “virtually unfettered” access to its facility. In addition to the $2.2 million payment, as part of the settlement OCR will monitor NYP for two years to help ensure NYP remains compliant with its HIPAA obligations.

This settlement is an important reminder to HIPAA covered entities and their business associates regarding the proper care and safeguarding of PHI. Certainly covered entities should think twice about allowing film crews into their facilities. If they do, the environments in which they film must be tightly controlled. As a starting point, covered entities should carefully review the FAQ sheet issued by OCR addressing situations involving media access to PHI.

To avoid investigations, fines and other negative consequences, it is critical for covered entities to ensure their policies and procedures are in compliance with HIPAA’s requirement.

Categories: HIPAA, Privacy


Type the following characters: three, foxtrot, mike, romeo, mike

* Indicates a required field.