Live Webinar | Operations and Other Technology
Live Webinar | Patient Financial Communications
Live Webinar | Costing and Managerial Accounting
Legislative and Regulatory Update | Privacy and HIPAA

HIPAA Breaches Make News, Cost Money

Legislative and Regulatory Update | Privacy and HIPAA

HIPAA Breaches Make News, Cost Money

Three Boston hospitals that were recently slapped with HIPAA violations for allowing television crews into their facilities are reminders of the intricacies of patient privacy laws. 

Three Boston-area hospitals were fined a total of almost $1 million for HIPAA violations that occurred because of TV filming.

As privacy and compliance officers know, HIPAA breaches make big, embarrassing headlines. The Oct. 5 issue of HIPAA Journal listed the following:

  • A 26-month-long malware infection of an Oregon clinic’s medical records system that affected 4,058 patients
  • Investigation by the FBI of a breach at a Georgia medical center
  • Hacking of 19,000 Toyota employees’ health plan information
  • 722 billing statements sent to the wrong people in Kansas City, Missouri
  • A software error that resulted in 822 envelopes containing protected health information (PHI) being misaddressed by the Oklahoma Department of Human Services
  • Two incidents in Ottawa, Kansas, involving unauthorized access to more than 16,000 individuals’ records

Breaches are Expensive

Not only are such news accounts unfortunate, they are often quite costly as three Boston-area hospitals recently learned. Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital were fined a total of almost $1 million for HIPAA violations that occurred because of TV filming. 

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced in late September that it had fined the hospitals for compromising the privacy of patient information “by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients.” A similar case in 2016 resulted in a settlement with New York-Presbyterian Hospital in association with filming another TV show.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. He reminds us: “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Settlement Agreements and Corrective Action Plans

These types of incidents typically result in settlement agreements and corrective action plans (CAP) requiring the facility to re-educate members of the workforce about HIPAA compliance. In the case of the Boston hospitals, among other things the CAPs required the facilities to include in their retraining the answer to this frequently asked question: “Can healthcare providers invite or arrange for members of the media, including film crews. to enter treatment areas of their facilities without prior authorization?”

The answer reads in part:

Healthcare providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area … . Only in very limited circumstances … does the HIPAA Privacy Rule permit healthcare providers to disclose protected health information to members of the media without a prior authorization signed by the individual.

The Boston hospitals’ experience should be a lesson to all.

Settlement agreements with the Boston hospitals can be accessed on the HHS website, and helpful information is found at HIPAA FAQs for Professionals.

J. Stuart Showalter, JD, MFS, is a contributing editor for HFMA.

About the Author

J. Stuart Showalter

Sign up for a free guest account and get access to five free articles every month.


Related Articles | Privacy and HIPAA

Blog | Enterprise Risk Management

Healthcare News of Note: More Office for Civil Rights funding could boost HIPAA enforcement

Healthcare News of Note for healthcare finance professionals is a roundup of recent news articles: Cybercrime against healthcare organizations overwhelms the federal Office for Civil Rights, the cost of health inequities could reach $1 trillion, and primary care physicians need more hours in the day to provide recommended care.

Blog | Healthcare Legal

CMS says EMTALA covers situations in which terminating a pregnancy is medically necessary

Even in situations that don’t qualify as life-threatening, the Biden administration says patients have the legal right to receive any type of stabilization measure at the discretion of their physician.

Blog | Coronavirus

HHS policy update: Recent developments include an extension of the public health emergency and notable progress in reducing the Medicare appeals backlog

HHS Secretary Xavier Becerra signed a 90-day extension of the COVID-19 public health emergency, ensuring the PHE will last until at least mid-July.

Blog | Enterprise Risk Management

Fitch describes the heightened risk posed by cyberattacks on not-for-profit hospitals

Cyberattacks on NFP hospitals increased substantially during the COVID-19 pandemic and show no signs of abating, Fitch says.