Source Article | Article Suggested by Kristofer Schleicher | Comments Courtesy of Matt Zavadsky
We know that some EMS agencies participate in the filming of TV shows, but you need to be very careful – the Office of Civil Rights takes these issues very seriously.
Tip of the hat to Kristofer Schleicher, MedStar’s general counsel, for this article.
OCR announced Sept. 20 that it has fined three Boston-area hospitals close to $1 million for HIPAA violations involving the filming of ABC’s TV series “Boston Med.”
By Fred Donovan
September 20, 2018 - OCR announced Sept. 20 that it has fined three Boston-area hospitals close to $1 million for HIPAA violations involving the filming of ABC’s TV series “Boston Med.”
OCR reached HIPAA settlements with Boston Medical Center (BMC), Brigham and Women's Hospital (BWH), and Massachusetts General Hospital (MGH) for compromising patients’ PHI when they invited the “Boston Med” film crews on premises without first obtaining authorization from patients.
“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said OCR Director Roger Severino. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”
Of the total fines, BMC paid $100,000, BWH paid $384,000, and MGH ponied up a hefty $515,000. Each hospital has agreed to provide workforce training as part of a corrective action plan that will include OCR’s guidance on disclosures to film and media.
According to the OCR guidance: “Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances ... does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.”
Surprisingly, these are not the first HIPAA fines resulting from the filming of a TV series in a hospital. In 2016, New York Presbyterian Hospital (NYP) agreed to pay $2.2 million to OCR for HIPAA violations in filming “NY Med.”
The New York hospital faced an OCR probe after it allowed film crews and staff to capture two patients on screen without getting the necessary authorization.
In addition to the settlement fines, NYP agreed to a substantive corrective action plan. As part of the plan, OCR monitored the hospital for two years to ensure that it complied with HIPAA rules.
“In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop,” OCR said at the time.
By allowing the media crew to film the patients, NYP allegedly disclosed PHI, including images of patients, OCR pointed out.
“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said then OCR Director Jocelyn Samuels. “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”
The OCR investigation also revealed that NYP allegedly did not safeguard patient information per HIPAA obligations. While filming, the ABC media crew could have accessed most of the healthcare facility, including areas where PHI was stored.
That was not the first time that NYP ran afoul of HIPAA. Back in 2010, the hospital and Columbia University paid $4.8 million in HIPAA settlement fines after an alleged healthcare data breach.
An OCR investigation found a data network that was shared by both facilities inadvertently allowed ePHI to be accessible on web-based search engines.
The hospital paid $3.3 million out of the total settlement. OCR also developed a corrective action plan for the hospital, which included developing a risk analysis, implementing a risk management plan, reviewing policies, educating staff, and providing progress reports.