Legislative and Regulatory Update | Privacy and HIPAA

HIPAA Breaches Make News, Cost Money

Legislative and Regulatory Update | Privacy and HIPAA

HIPAA Breaches Make News, Cost Money

Three Boston hospitals that were recently slapped with HIPAA violations for allowing television crews into their facilities are reminders of the intricacies of patient privacy laws. 

Three Boston-area hospitals were fined a total of almost $1 million for HIPAA violations that occurred because of TV filming.


As privacy and compliance officers know, HIPAA breaches make big, embarrassing headlines. The Oct. 5 issue of HIPAA Journal listed the following:

  • A 26-month-long malware infection of an Oregon clinic’s medical records system that affected 4,058 patients
  • Investigation by the FBI of a breach at a Georgia medical center
  • Hacking of 19,000 Toyota employees’ health plan information
  • 722 billing statements sent to the wrong people in Kansas City, Missouri
  • A software error that resulted in 822 envelopes containing protected health information (PHI) being misaddressed by the Oklahoma Department of Human Services
  • Two incidents in Ottawa, Kansas, involving unauthorized access to more than 16,000 individuals’ records

Breaches are Expensive

Not only are such news accounts unfortunate, they are often quite costly as three Boston-area hospitals recently learned. Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital were fined a total of almost $1 million for HIPAA violations that occurred because of TV filming. 

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced in late September that it had fined the hospitals for compromising the privacy of patient information “by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients.” A similar case in 2016 resulted in a settlement with New York-Presbyterian Hospital in association with filming another TV show.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. He reminds us: “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Settlement Agreements and Corrective Action Plans

These types of incidents typically result in settlement agreements and corrective action plans (CAP) requiring the facility to re-educate members of the workforce about HIPAA compliance. In the case of the Boston hospitals, among other things the CAPs required the facilities to include in their retraining the answer to this frequently asked question: “Can healthcare providers invite or arrange for members of the media, including film crews. to enter treatment areas of their facilities without prior authorization?”

The answer reads in part:

Healthcare providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area … . Only in very limited circumstances … does the HIPAA Privacy Rule permit healthcare providers to disclose protected health information to members of the media without a prior authorization signed by the individual.

The Boston hospitals’ experience should be a lesson to all.

Settlement agreements with the Boston hospitals can be accessed on the HHS website, and helpful information is found at HIPAA FAQs for Professionals.


J. Stuart Showalter, JD, MFS, is a contributing editor for HFMA.

About the Author

J. Stuart Showalter

Sign up for a free guest account and get access to five free articles every month.

Advertisements

Related Articles | Privacy and HIPAA

Blog | Enterprise Risk Management

Fitch describes the heightened risk posed by cyberattacks on not-for-profit hospitals

Cyberattacks on NFP hospitals increased substantially during the COVID-19 pandemic and show no signs of abating, Fitch says.

Article | Value-Based Payment

Healthcare financial teams need accounting software that delivers clear, measurable results to navigate today’s challenges

One company uses its cloud-native financial accounting system to provide acute, ambulatory and post-acute organizations with data to solve their most complex challenges, focus on strategic initiatives, increase efficiency and drive growth.

Fact Sheet | Electronic Health Records

ONC 21st Century Cures Act Final Rule Summary

HFMA has summarized the ONC final rule implementing provisions of the 21st Century Cures Act.

Fact Sheet | Electronic Health Records

ONC 21st Century Cures Act Final Rule Announcement Summary

HFMA summarized the announcement of ONC final rule implementing provisions of the 21st Century Cures Act.