filming settlementsWhat should we learn from the recent OCR filming settlements?  This time it was three settlements in one that related to a fourth.  There is more here than the headline-grabbing dollar amounts.  These settlements are the best specific guidance you can get from OCR.  As always, we do the analysis for you!

HIPAA For MSPs by David Sims 6 Takeaways From The Filming Settlements
00:00:00 00:00:00

This one is an interesting one.  Actually, all of the 2018 announcements have been very specific and interesting.  What makes this one stand out is that it involves 4 related cases from 4 different covered entities.  They are all involved in allowing a reality show film in their facilities without getting proper authorizations from the patients.

Unauthorized Disclosure of Patients’ Protected Health Information During ABC Television Filming Results in Multiple HIPAA Settlements Totaling $999,000

The first one of the four cases was settled way back in April of 2016.  That case is when they hit NY Presbyterian with $2.2m settlement for allowing the film crew access to the PHI of the patients being filmed.  (Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital)  In that case, a complaint was filed against the hospital with HHS.  It included a 2 year CAP.  That means they are just a few months past the end of it.  In their case, the filming that prompted the complaint took place on April 28, 2011.  The complaint wasn’t filed until January 27, 2013, though.

This recent announcement covers 3 additional hospitals which they group together as “the Boston hospitals” on the OCR file names.  The same kind of issue but this time, OCR didn’t wait around for the complaint to come in, they just watched the news themselves.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

The settlement dollar amounts total up to a nice clean number which is what makes the most headlines.  Combined they equal $999,000.  Surely they could have found a way to have someone do an additional $999 so we could get 6 nines.

Boston Medical Center – $100,000

On January 26, 2015, HHS initiated a compliance review of BMC based on information contained in a Boston Globe article dated January 12, 2015. The article indicated BMC permitted ABC News to film a medical documentary program at BMC…

BMC disclosed the protected health information (“PHI”) of patients to ABC employees during the production and filming of a television program at BMC.

Brigham and Women’s Hospital – $384,000

On January 26, 2015, HHS initiated a compliance review of BWH based on information contained in a Boston Globe article dated January 12, 2015. The article indicated BWH permitted ABC News to film a medical documentary program at BWH. On February 13, 2015, HHS notified BWH of HHS’ review of BWH’s compliance with the Privacy Rule. Prior to the filming, which took place from October 2014 to January 2015, BWH reviewed and assessed patient privacy issues related to the filming and implemented various protections regarding patient privacy, including providing the ABC film crew with the same HIPAA privacy training received by BWH’s workforce.

Based on the timing of when BWH received some written patient authorizations, BWH impermissibly disclosed the PHI of patients to ABC employees during the production and filming of a television program at BWH

Despite the various patient privacy protections that were put in place by BWH, BWH failed to appropriately and reasonably safeguard its patients’ PHI from disclosure during a filming project conducted by ABC on its premises in 2014 and January 2015

Massachusetts General Hospital – $515,000

On December 17, 2014, HHS initiated a compliance review of MGH based on a news story posted to MGH’s website on October 3, 2014, indicating that ABC News would be filming a medical documentary program at MGH. On January 5, 2015, HHS notified MGH of HHS’ review of MGH’s compliance with the Privacy Rule. Prior to the filming, which took place from October 2014 to January 2015, MGH reviewed and assessed patient privacy issues related to the filming and implemented various protections regarding patient privacy, including providing the ABC film crew with the same HIPAA privacy training received by MGH’s workforce.

Based on the timing of when MGH received some written patient authorizations, MGH impermissibly disclosed the PHI of patients to ABC employees during the production and filming of a television program at MGH.

Despite the various patient privacy protections that were put in place by MGH, MGH failed to appropriately and reasonably safeguard its patients’ PHI from disclosure during a filming project conducted by ABC on its premises in 2014 and January 2015.

Let’s check out this timeline here or at least what we see clearly.

  • April 28, 2011 – NY Med filming by ABC at NY Presbyterian
  • January 27, 2013 – complaint filed about NY Presbyterian
  • October 2014 to January 2015 – Brigham and Women’s and Massachusetts General filming takes place but prior to filming they evaluate privacy issues and provide workforce privacy training to ABC film crew.
  • October 3, 2014 – Announcement on Massachusetts General website that they will be part of ABC reality show Boston Med.
  • December 17, 2014 – OCR notifies Massachusetts General they are opening an investigation.
  • January 12, 2015 – Boston Globe article announces both Brigham and Women’s and Boston Medical will be included in the ABC show.
  • January 26, 2015 – OCR let’s those two know they are opening an investigation
  • April 2016 – Settlement with NY Presbyterian
  • September 2018 – Settlement with Boston hospitals

So what can we learn from these filming settlements?

  1. OCR opens investigations when they see things in the news not just when a complaint comes to them.
  2. Just because you trained staff doesn’t mean it is ok to have them do work that doesn’t fall under TPO.
  3. Getting written authorizations must be done in a reasonable time frame.  Bad timing can result in improper disclosures made before you get the authorizations.
  4. You can’t just wave a magic training wand over these kinds of situations and forget about the rest.  Training doesn’t mean that the persons being trained actually have a need to have PHI disclosed to them in order to do their job FOR the CE or BA.
  5. The phrase “appropriately and reasonably safeguard its patients’ PHI from disclosure” doesn’t mean you can talk your way out of having to do the work.  You have to state your case and hope they agree.
  6. Cameras around patients is NEVER a good idea without a risk analysis!

Recent discussions about security cameras came to mind as I was reviewing things here. I will definitely need to revisit that discussion!

Here is another example of specific guidance coming out in these filming settlements.  It is a valuable asset to our knowledge base if you just take the time to read the details.  Of course, most folks just read the headlines and the bullets which never gives you the information that applies to your privacy and security program.  Another reason we do what we do here at Help Me With HIPAA!