The Department of Health and Human Services’ Office for Civil Rights (OCR) fined three hospitals the amount of $999,000 for allowing an ABC film crew to shoot a video footage of patients for its Boston Med TV series. Allowing the footage was deemed a violation of the Health Insurance Portability and Accountability Act (HIPAA) Rules. Hospitals must make sure to obtain the patients’ authorization prior to allowing other people besides doctors and nurses to access the patients and their medical data.
OCR investigated this type of HIPAA violation case related to the Boston Med TV series for the second time. The first time, it was the New York Presbyterian Hospital which settled its HIPAA violation case by paying $2.2 million on April 16, 2016 to settle the impermissible PHI disclosure to the ABC film crew when the series was recorded without obtaining the patients’ consent.
OCR issued fines to the following hospitals: Boston Medical Center, Brigham and Women’s Hospital and Massachusetts General Hospital.
Boston Medical Center (BMC) paid OCR $100,000 to settle its HIPAA violations. BMC was found to have impermissibly disclosed to ABC employees the PHI of patients during the production and filming of the Med TV series, which is a violation of 45 C.F.R. § 164.502(a).
Brigham and Women’s Hospital (BWH) paid OCR $384,000 to settle its HIPAA violations . BWH permitted an ABC film crew to take a footage from October 2014 to January 2015. Before the filming, BWH reviewed the patient privacy issues and gave the ABC film crew a HIPAA privacy training, just like the training provided to its employees. BWH likewise acquired written consent from patients. Even so, OCR determined that BWH violated HIPAA Rules. It is stated in the settlement agreement that BWH’s timing of getting some patients’ written authorizations was off, hence, BWH impermissibly disclosed the patients’ PHI to ABC employees, which violates 45 C.F.R. § I64.502(a). BWH also violated 45 C.F.R. § 164.530(c) by failing to reasonably secure the PHI of patients.
Massachusetts General Hospital (MGH) paid OCR $515,000 to settle its HIPAA violations. The hospital in the same way permitted an ABC film crew to shoot a video from October 2014 to January 2015. MGH reviewed the patient privacy issues and gave the film crew a HIPAA privacy training just as what BWH did. But just like BWH, OCR declared that MGH violated 45 C.F.R. § I64.502(a) as patient authorizations were obtained after the impermissible PHI disclosure. MGH also failed to adequately and reasonably secure patients’ PHI during the series footage recording violating 45 C.F.R. § 164.530(c).
Besides paying the financial penalty, the three hospitals need to undertake a corrective action plan that includes giving their employees more training about the allowable uses and disclosures of PHI to media.
HIPAA Enforcement in 2018
2016 is OCR’s record year for issuing HIPAA penalties in 2016 with 12 HIPAA violation settlements and one civil monetary penalty issuance. In 2017, there were only 9 HIPAA violation settlements and one civil monetary penalty issuance.
2018, so far, has less financial penalties issued for HIPAA violations. Only three penalties have been issued before September 20, 2018. Including the three settlements mentioned above, the HIPAA violation penalties issued this year totals six.
The following lists the six HIPAA Penalties and Settlements with OCR in the Year 2018:
- Boston Medical Center – $100,000 settlement for recording footage of patients without authorization
- Brigham and Women’s Hospital – $384,000 settlement for recording footage of patients without authorization
- Massachusetts General Hospital – $515,000 settlement for recording footage of patients without authorization
- University of Texas MD Anderson Cancer Center – $4,348,000 civil monetary penalty for failing to encrypt data and impermissibly disclosing ePHI
- Filefax, Inc. – $100,000 settlement for impermissibly disclosing PHI
- Fresenius Medical Care North America – $3,500,000 settlement for multiple HIPAA violations
The following lists the four HIPAA settlements with the State Attorneys General in 2018:
- New York -Arc of Erie County -$200,000 settlement for online exposure of PHI
- New Jersey – Virtua Medical Group – $417,816 settlement for online exposure of PHI
- New York – EmblemHealth – $575,000 settlement for PHI exposure in mailing
- New York – Aetna – $1,150,000 settlement for PHI exposure in mailing