Hospitals Fined $1 Million After TV Crews Film PatientsHHS Slaps Three Boston Hospitals With HIPAA Penalties
Story has been updated to reflect the official name of the Boston-based TV series.
HIPAA privacy violations can come in many forms. Case in point: Federal regulators have smacked three Boston hospitals with settlements totaling nearly $1 million for allowing crews for the documentary TV show "Save My Life: Boston Trauma" to film on their premises in 2014 and 2015 without obtaining authorization from patients.
The cases at the center of the Department of Health and Human Services' settlements with Massachusetts General and Brigham & Women's hospitals - both owned by Partners Healthcare - and Boston Medical Center are similar to another case in 2016.
In the 2016 incident, HHS's Office for Civil Rights entered a $2.2 million settlement with New York-Presbyterian Hospital in connection with the filming of a similar ABC News documentary TV show, "NY Med." In that earlier settlement, OCR said the hospital allowed a TV crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.
"This second OCR enforcement action involving the filming of a network reality television series inside a healthcare provider's treatment area serves as a line in the sand for HIPAA covered entities and their business associates," notes privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"Healthcare providers cannot expose patients or their treatment records to the glare of television lights or a reporter's notebook without first obtaining an authorization that meets the requirements of the HIPAA Privacy Rule."
In the latest OCR enforcement actions, the financial penalties were $515,000 for Mass General, $384,000 for Brigham & Women's and $100,000 for Boston Medical Center.
OCR did not immediately respond to a request for comment on how the agency determined the settlement amounts for each hospital.
"Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments," Roger Severino, OCR director, says in a statement. "Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information."
The settlements with the three hospitals note that OCR initiated HIPAA compliance reviews shortly after it became aware, based on local news coverage, of the TV show filming at the institutions.
The settlements with Mass General and Brigham & Women's indicate that OCR found both hospitals had "a variety of patient privacy protections in place," but they failed to "appropriately and reasonably safeguard ... patients' PHI from disclosure" during TV filming projects by ABC News in October 2014 and January 2015.
For instance, OCR determined that prior to the filming, Mass General reviewed and assessed patient privacy issues related to the filming and implemented various protections regarding patient privacy, including providing the ABC film crew with the same HIPAA privacy training received by the hospital's workforce.
Despite these efforts, however, HHS's investigation found that "based on the timing of when MGH [Mass General] received some written patient authorizations, MGH impermissibly disclosed the PHI of patients to ABC employees during the production and filming of a television program at MGH."
The resolution agreement with Brigham's & Women's cites similar violation examples.
OCR says the hospital "impermissibly disclosed PHI of patients to ABC employees during the production and filming of a television program," but makes no mention of the medical center attempting to put into place privacy protections before filming.
In a joint statement, Mass General and Brigham & Women's say that neither institution received complaints from patients or their families regarding ABC News' filming activities. "In fact, some patients and families expressed gratitude about being given an opportunity to share their stories and experiences in a way that could help others across the nation," the statement says.
"In 2014, MGH and BWH agreed to participate in the ABC News documentary to provide viewers a window into the expert care that academic medical centers deliver every day - the kind of care that had been the focus of national attention in the wake of the Boston Marathon bombings," the statement says. "The hospitals believe that working with the media is a vital means of educating and informing the public about medicine and healthcare, reinforcing messages about disease and prevention, and providing reassurance to those who may one day require the expertise and skill of a trauma center."
Before the filming began, each hospital reviewed and assessed patient privacy issues related to the specific documentary project and implemented various patient privacy protections, the statement says. The hospitals say:
- ABC News crew members received HIPAA training and signed confidentiality agreements.
- The hospitals signed contractual agreements with ABC News that required that no patient be included in the documentary unless that patient had given explicit consent in writing, and patients were provided the opportunity to withdraw consent.
- Throughout the filming, patients, families, visitors and staff were informed about the presence of the documentary crew and provided information about the project, explaining that participation was voluntary and offering a hospital contact who could address any questions or concerns.
In a statement provided to Information Security Media Group, Boston Medical Center says it obtained "proper consent" from all patients involved in the filming project in full compliance with HIPAA. "However, BMC chose to settle this case to resolve the matter and avoid further burden and expense. We value our patients' privacy as a highest priority while providing exceptional care."
Lessons to Learn
Some privacy experts say others can learn important lessons from the sanctions against the three Boston hospitals.
"These are important cases for regulated entities to review for several reasons," says privacy attorney Iliana Peters of the law firm Polsinelli. "First, note that OCR used its authority under the HIPAA Enforcement Rule to open compliance reviews to investigate all three entities, based on a news report from the Boston Globe in January of 2015 and on a link on Massachusetts General Hospital's website," says Peters, a former longtime enforcement official at OCR.
"It's important to remember that OCR has this general authority to investigate regulated entities and does not have to initiate an investigation based on a specific complaint, breach report or referral from another agency," she says.
Also, this is the second OCR resolution agreement with Massachusetts General, she notes. "In that respect, it's also important to understand that OCR can, and will, pursue civil monetary penalties against an entity more than once."
In 2011, OCR slapped Mass General with a $1 million HIPAA settlement in a case involving the loss of paper documents for 192 patients in the hospital's General Infectious Disease Associates outpatient practice, including those with HIV/AIDS.
Peters says these most recent settlements highlight that individuals have the right to decide how their PHI is used and disclosed. If such a use or disclosure is not otherwise specifically permitted by the HIPAA Privacy Rule, "OCR takes indications of noncompliance related to individual rights very seriously," she says.
"This is especially important to consider, given that individual rights may not be at the forefront of all of our minds, as we are all running from cybersecurity incident to cybersecurity incident. Individual rights are, however, always at the forefront of OCR's enforcement efforts."
Break in Recent Drought?
The settlements with the three Boston area hospitals come after a lull in OCR enforcement actions this year.
After record enforcement activity in 2016 and 2017 - with a total of 23 settlements and civil monetary penalties issued those two years - HHS had issued only three HIPAA enforcement actions so far this year until this week's announcement (see Are State AGs Picking Up Slack in HIPAA Enforcement?).