A Sum of $999,000 Paid to OCR as HIPAA Penalties for Impermissible PHI Disclosure to ABC Film Crew

Three hospitals paid the Department of Health and Human Services’ Office for Civil Rights (OCR) a fine of $999,000 to settle their HIPAA violation. Because the hospitals allowed ABC film to record a video of patients for its Boston Med TV series and were not able to get the patients’ consent before letting other individuals besides physicians and nurses access the patients and their health data, OCR issued them a fine.

OCR already investigated a HIPAA violation case associated with the Boston Med TV series before. In the first case in April 2016, New York Presbyterian Hospital had to pay $2.2 million to settle its HIPAA violation. Apparently, the hospital committed an impermissible disclosure of PHI to the ABC film crew for allowing them to do a video recording of patients without getting their consent.

This time, OCR fined the following hospitals: Brigham and Women’s Hospital, Boston Medical Center and Massachusetts General Hospital.

Brigham and Women’s Hospital (BWH) paid $384,000 as penalty for its HIPAA violations . BWH allowed the ABC film crew to shoot a video from October 2014 to January 2015. Prior to the shooting of the video, BWH looked over the patient privacy issues and provided ABC film crew with a HIPAA privacy training, much like the training BWH provides its personnel. BWH also obtained written permission from their patients. But according to OCR, BWH violated HIPAA Rules because BWH’s timing in securing some patients’ authorizations was off. As a result, BWH impermissibly disclosed the medical information of some patients to ABC employees, violating 45 C.F.R. § I64.502(a). BWH likewise violated 45 C.F.R. § 164.530(c) for its failure to reasonably protect the PHI of patients.

Boston Medical Center (BMC) paid $100,000 as penalty for its HIPAA violations. BMC impermissibly disclosed to ABC staff the patients’ PHI during the creation of the footage for the Med TV series, violating 45 C.F.R. § 164.502(a).

Massachusetts General Hospital (MGH) paid $515,000 as settlement fee for its HIPAA violations. The hospital granted permission to an ABC film crew to shoot a footage from October 2014 up to January 2015. Like BWH, MGH talked about patient privacy issues and provided the film staff with a tranining on HIPAA privacy prior to the shoot. But OCR deemed that MGH violated 45 C.F.R. § I64.502(a) because patient authorizations were acquired after impermissibly disclosing PHI. MGH also was unable to sufficiently and reasonably protect the patients’ PHI at the time of recording the footage thus violating 45 C.F.R. § 164.530(c).

Aside from paying the fines, the three hospitals are required to implement a corrective action plan including additional employees training concerning the permitted uses and disclosures of sensitive data to media.