Three Boston Hospitals Pay HIPAA Fines

In early September 2018, three Boston hospitals, Brigham Women’s Hospital, Boston Medical Center, and Massachusetts General Hospital, collectively paid $999,000 in a settlement for potential HIPAA violations.

The fines were imposed by the Department of Health and Human Services, Office of Civil Rights for compromising patients’ Protected Health Information, or PHI. The potential breach of PHI occurred during the filming of the ABC reality TV series Save My Life: Boston Trauma.

HIPAA explicitly requires healthcare providers to obtain signed release forms from patients prior to granting any members of the media access to spaces where PHI is accessible in any capacity – including written, oral, visual or audio form.

A 2016 press release from HHS states “Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible. The announcement continues, “…prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media must be obtained.”

Notably, the ABC film crews received patient privacy training and signed confidentiality agreements before filming in the various hospitals, but OCR ruled that was not enough. This story illustrates the importance of not only knowing HIPAA rules and regulations but also enforcing these standards at all times.

As part of their corrective action plan, all three hospitals involved will provide their employees with additional training about patients’ privacy rights. This training will also include information about media release forms and the necessity of using these forms at any time when patients’ private moments may become public.

You may have read about a similar settlement involving the ABC network and New York Presbyterian Hospital in 2016. Much like the Boston incident, patients’ PHI was compromised during the filming of the reality TV series New York Med. The hospital settled with HHS for $2.2 million.

Health law experts warn hospitals and other providers to learn from cases like these. Protecting patients’ right to privacy should always remain the top priority for all entities regulated by HIPAA.

This is why our HIPAA Prime™ online modules break down the complexities of the law in easy to understand terms and outline the best course of action for addressing every facet of HIPAA for agents, healthcare providers, and their business associates.

Sources:
Healthcare Info Security

https://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bostoncases/index.html

Boston Magazine

https://www.bizjournals.com/boston/news/2018/09/20/feds-say-boston-hospitals-violated-patients.htm