Healthcare Information Security

HIPAA and Compliance News

Boston Hospitals Cough Up $1M for ‘Boston Trauma’ HIPAA Violations

OCR announced Sept. 20 that it has fined three Boston-area hospitals close to $1 million for HIPAA violations involving the filming of ABC’s TV series “Save My Life: Boston Trauma.”

HIPAA violations

Source: Thinkstock

By Fred Donovan

- OCR announced Sept. 20 that it has fined three Boston-area hospitals close to $1 million for HIPAA violations involving the filming of ABC’s TV series “Save My Life: Boston Trauma.”*

OCR reached HIPAA settlements with Boston Medical Center (BMC), Brigham and Women's Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising patients’ PHI when they invited the “Boston Trauma” film crews on premises without first obtaining authorization from patients.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said OCR Director Roger Severino. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

Of the total fines, BMC paid $100,000, BWH paid $384,000, and MGH ponied up a hefty $515,000. Each hospital has agreed to provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media.

According to the OCR guidance: “Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances ... does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.”

Surprisingly, these are not the first HIPAA fines resulting from the filming of a TV series in a hospital. In 2016, New York Presbyterian Hospital (NYP) agreed to pay $2.2 million to OCR for HIPAA violations in filming “NY Med.”

The New York hospital faced an OCR probe after it allowed film crews and staff to capture two patients on screen without getting the necessary authorization.

In addition to the settlement fines, NYP agreed to a substantive corrective action plan. As part of the plan, OCR monitored the hospital for two years to ensure that it complied with HIPAA rules.

“In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop,” OCR said at the time. 

By allowing the media crew to film the patients, NYP allegedly disclosed PHI, including images of patients, OCR pointed out.

“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said then OCR Director Jocelyn Samuels.  “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”

The OCR investigation also revealed that NYP allegedly did not safeguard patient information per HIPAA obligations. While filming, the ABC media crew could have accessed most of the healthcare facility, including areas where PHI was stored.

That was not the first time that NYP ran afoul of HIPAA. Back in 2010, the hospital and Columbia University paid $4.8 million in HIPAA settlement fines after an alleged healthcare data breach.

An OCR investigation found a data network that was shared by both facilities inadvertently allowed ePHI to be accessible on web-based search engines.

The hospital paid $3.3 million out of the total settlement. OCR also developed a corrective action plan for the hospital, which included developing a risk analysis, implementing a risk management plan, reviewing policies, educating staff, and providing progress reports.

*An earlier version of this story had the wrong name for the TV show. It was called “Save My Life: Boston Trauma,” not “Boston Med.” OCR issued a correction to its press release. “Boston Med,” also an ABC television series, was not involved in the investigation.

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy


no, thanks

Continue to site...