Close to $1 million in HIPAA fines have been levied against three Boston-area hospitals for serious HIPAA violations after illegally filming patients for a local TV series.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued HIPAA settlements to three different hospitals for HIPAA violations stemming from the filming of a TV series on their premises. ABC’s “Boston Med” was filmed at Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital and exposed the protected health information (PHI) of a number of patients because of a failure to properly obtain patient authorizations.
HIPAA regulation defines PHI as any demographic information that can be used to identify a patient. Common examples of PHI include name, date of birth, Social Security number, medical records, or full facial photography/video to name a few. Under the regulation, capturing a patient’s likeness on film without obtaining their authorization is considered a breach of PHI–and resulted in the close to $1 million HIPAA fines for these three hospitals.
HIPAA regulation states that health care providers must obtain satisfactory authorizations from their patients before allowing media personnel to enter facilities where patients are being treated. Specifically, OCR guidance states that: “Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media.”
OCR Director, Roger Severino, stated in a press release announcing the HIPAA settlement, that “Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments. Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”
This is just one in a series of HIPAA violations and HIPAA settlements stemming from illegally allowing film crews access to hospital patients without receiving express authorization.
In 2016, New York Presbyterian Hospital was fined $2.2 million for a similar violation. New York Presbyterian violated patients’ rights to privacy after inviting film crews into its facilities and failing to receive patient authorization.
HIPAA regulation sets specific standards for the release of PHI for media or marketing purposes. If these Boston hospitals had an effective HIPAA compliance program in place, they could have avoided this detrimental breach of patients’ PHI.
An effective HIPAA compliance program must necessarily include HIPAA policies and procedures addressing each standard outlined in the HIPAA rules. That includes media and marketing provisions, which are meant to protect patient privacy and ensure confidentiality of health care data.
In addition to HIPAA policies and procedures, HIPAA training requirements state that all employees working in a health care setting who can access or encounter PHI must go through annual training. This is to ensure that health care settings will uniformly apply HIPAA standards to safeguard patients’ PHI. In this case, each Boston hospital will now be mandated to provide HIPAA training as a part of the HIPAA settlement.
With more and more visibility being given to HIPAA fines over the past few years, health care professionals can’t afford to go without an effective HIPAA compliance program.