One might be inclined to say that the Hospital simply did not understand
the Privacy Rule’s prohibitions and therefore did not know that it was not
permitted to film patients without their authorization. However, unlike the
complex Privacy Rule provisions discussed at Part III( A)( 1)-( 3), the Hospital
violated the default rule, the simplest provision in the entire Privacy Rule. In
Part II, I explained that covered entities may not use or disclose PHI without
prior written authorization in any situation in which the information use or
disclosure is not otherwise permitted or required by the Privacy Rule.105
Filming one dying patient and a second clinically distressed patient—both
without prior written authorization—clearly does not constitute TPO, a
public benefit activity, or any other permitted or required information use or
disclosure. Notwithstanding its own notice of privacy practices, which
clearly states that the Hospital is “required by law to maintain the privacy and
security of your protected health information,”106 the Hospital breached two
patients’ privacy in order to produce a reality television show that would
C. Mobile Devices and Portable Records Continue to Challenge Privacy
HHS adopted the Privacy Rule in part due to the growing use of electronic
technology, including the shift from paper to electronic medical records and
the associated increase in privacy-related risks.107 A review of the thirty-five
resolution agreements and/or civil monetary penalty (CMP) agreements into
which HHS has entered suggests that basic mobile technology and portable
records issues, including loss and theft of laptops and thumb drives as well
as printed paper records, continue to challenge Privacy Rule compliance.
In March of 2016, for example, HHS entered into a $3.9 million resolution
agreement with Feinstein Institute for Medical Research (Feinstein), a New
York not-for-profit corporation sponsored by Northwell Health, Inc., a large
health system including twenty-one hospitals and more than 450 patient
facilities and physician practices.108 The settlement followed a Feinstein
employee’s negligent decision to leave an unsecured laptop containing the
PHI of 13,000 patients and research participants, including names, dates of
CAP, then [the Hospital] will be in breach of this Agreement and HHS will not be subject to
the Release. . .”).
105. See text accompanying supra notes 66–68.
106. See Privacy Notice, N. Y.-PRESBYTERIAN,
http://www.nyp.org/pdf/privacy_notice_english.pdf (last visited Aug. 11, 2016).
107. See 1999 Proposed Rule, supra note 19, at 59,920.
108. Resolution Agreement Between HHS & Feinstein Institute for Medical Research,
HHS.GOV, 1, 2 (Mar. 16, 2016), http://www.hhs.gov/sites/default/files/fimr-resolution-agreement-and-corrective-action-plan.pdf (“HHS has agreed to accept, and [Feinstein] has
agreed to pay HHS, the amount of $3,900,000.00. . .”).