OCR recently announced two HIPAA enforcement actions with healthcare organizations: Raleigh Orthopaedic Clinic and New York Presbyterian Hospital. Our VP of Compliance Strategies was interviewed by HealthcareInfoSecurity and offered his insight into the two cases.
The first organization, Raleigh Orthopaedic Clinic, must pay a $750,000 penalty stemming from an incident involving a vendor tasked with converting x-rays to digital images in exchange for harvesting the silver from the x-rays. The clinic failed to execute a Business Associate Agreement prior to releasing the films to the vendor. The enforcement action, announced by Jocelyn Samuels at the recent HCCA Compliance Institute, also requires the organization to update its policies and procedures to be in alignment with HIPAA requirements. In an article on HealthcareInfoSecurity, our David Holtzman discusses the settlement and reiterates the importance of effective vendor management process.
The second organization, New York Presbyterian Hospital, received a penalty of $2.2 million and a corrective action plan related to the filming of the television series “NY Med.” During filming, patients in the ER were filmed during visits to the ER without first obtaining their permission. Additionally, the crew of the series were allowed virtually unrestricted access to the hospital, potentially allowing access of PHI. In another article on HealthcareInfoSecurity, David Holtzman discusses this settlement and how the hospital could have avoided this mistake.