On September 20, the Department of Health and Human Services’ Office for Civil Rights announced a fine of $999,000 for three Boston hospitals, all of which violated HIPAA while allowing ABC’s TV series “Boston Med” to film the show in their facilities.
Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) allowed film crews on premises prior to obtaining patient’s authorization.
BMC agreed to pay $100,000 for their failure to comply with HIPAA regulations when the hospital impermissibly disclosed PHI to ABC employees.
BWH settled their HIPAA violations with a $384,000 fine. OCR found that although BWH did conduct a review of patient privacy issues and had ABC crews go through HIPAA privacy training, some written authorization forms signed by patients were received after an impermissible disclosure of their PHI.
MGH agreed to pay their $515,000 fine issued by OCR for similar HIPAA violations to BWH. Filming of Boston Med occurred at MGH (as well as BWH) between October 2014 and January 2015, and similarly to BWH, film crews went through HIPAA privacy training, and a review of patient privacy issues was conducted. MGH was found to violate HIPAA by receiving patient authorization after the impermissible disclosure of PHI as well as failing to reasonably and appropriately safeguard patients’ PHI during filming.
Not the First Time
This is not the first time OCR has issued fines for violations regarding filming in a hospital. HIPAA fines were issued to New York Presbyterian Hospital (NYP) for HIPAA violations that resulted from the filming of “NY Med” in 2016.
NYP, who allowed crews to film two patients on screen without getting necessary authorization also failed to safeguard patient information. The New York hospital agreed to pay a fine of $2.2 million to OCR for their violations.
NYP agreed to a substantive corrective action plan for their HIPAA violations, and now, BMC, BWH, and MGH will too have to adopt correction action plans per their misconduct. All three Boston hospitals will need to provide workforce training that includes allowable uses and disclosures of PHI to film and media.
These fines and corrective measures serve as a reminder that OCR takes patient privacy very seriously, requiring HIPAA compliance from all Covered Entities and Business Associates.