Three Boston-area hospitals were fined a total of almost $1 million for HIPAA violations that occurred because of TV filming.
As privacy and compliance officers know, HIPAA breaches make big, embarrassing headlines. The Oct. 5 issue of HIPAA Journal listed the following:
- A 26-month-long malware infection of an Oregon clinic’s medical records system that affected 4,058 patients
- Investigation by the FBI of a breach at a Georgia medical center
- Hacking of 19,000 Toyota employees’ health plan information
- 722 billing statements sent to the wrong people in Kansas City, Missouri
- A software error that resulted in 822 envelopes containing protected health information (PHI) being misaddressed by the Oklahoma Department of Human Services
- Two incidents in Ottawa, Kansas, involving unauthorized access to more than 16,000 individuals’ records
Breaches are Expensive
Not only are such news accounts unfortunate, they are often quite costly as three Boston-area hospitals recently learned. Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital were fined a total of almost $1 million for HIPAA violations that occurred because of TV filming.
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced in late September that it had fined the hospitals for compromising the privacy of patient information “by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients.” A similar case in 2016 resulted in a settlement with New York-Presbyterian Hospital in association with filming another TV show.
“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. He reminds us: “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”
Settlement Agreements and Corrective Action Plans
These types of incidents typically result in settlement agreements and corrective action plans (CAP) requiring the facility to re-educate members of the workforce about HIPAA compliance. In the case of the Boston hospitals, among other things the CAPs required the facilities to include in their retraining the answer to this frequently asked question: “Can healthcare providers invite or arrange for members of the media, including film crews. to enter treatment areas of their facilities without prior authorization?”
The answer reads in part:
Healthcare providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area … . Only in very limited circumstances … does the HIPAA Privacy Rule permit healthcare providers to disclose protected health information to members of the media without a prior authorization signed by the individual.
The Boston hospitals’ experience should be a lesson to all.
J. Stuart Showalter, JD, MFS, is a contributing editor for HFMA.