The Department of Health and Human Services, Office for Civil Rights (OCR) announced three separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH), respectively, over potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule totaling $999,000. According to the settlements, the potential violations were the result of the alleged disclosure of patient protected health information (PHI) to ABC News employees during the production and filming of the docuseries called “Save My Life: Boston Trauma,” at each hospital.
BMC settled for $100,000, BWH settled for $384,000, and MGH settled for $515,000. According to the corrective action plans, BMC was the only hospital that did not first assess the risks to patient privacy before filming or instituting appropriate patient privacy protections. BWG and MGH, respectively, completed such assessments and instituted some protections during the producing and filming of the docuseries, but OCR determined that such protocols failed to reasonably and appropriately safeguard patients’ PHI from impermissible disclosure. Based on the timing of when BWG and MGH received some of their patient authorizations, OCR also determined the hospitals invited film crews onto their premises before obtaining appropriate patient authorization. As a result, all three hospitals must provide workforce training that will include OCR’s guidance on disclosures to film and media.
This is the second HIPAA case involving an ABC medical documentary television series. In April 2016, OCR announced a $2.2 million settlement with New York-Presbyterian Hospital associated with alleged violations that occurred during the filming of “NY Med.” The settlement included a comprehensive corrective action plan with two years of monitoring.
The HIPAA Privacy Rule prohibits health care providers from allowing members of the media, such as film crews, into areas where PHI will be accessible without prior authorization from the patients who are or will be in the area or whose PHI will be accessible to the media. Please note that OCR deems it insufficient for a health care provider to request or require media personnel to mask the identities of patients using techniques such as blurring, pixilation, or voice alteration, for whom an authorization was not first obtained. Health care providers must also implement reasonable safeguards to protect against impermissible disclosures or limit incidental disclosures of other PHI that may be in the area but for which an authorization has not been obtained.