HIPAA and 15-minutes-of-fame are not compatible. In September 2018, the federal Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that it had reached settlements with Boston Medical Center (“BMC”), Brigham and Women's Hospital (“BWH”), and Massachusetts General Hospital (“MGH”) totaling $999,000, to resolve allegations that the hospitals had violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)—by inviting film crews on premises to film a television network documentary series, without first obtaining authorization from patients whose protected health information (“PHI”) was disclosed.

OCR initiated its compliance reviews of BMC and BWH based on a Boston Globe article, which indicated BMC and BWH had permitted ABC News to film a medical documentary program at BMC and BWH.

OCR’s investigation of BMC concluded that BMC impermissibly disclosed the PHI of patients to ABC employees during the production and filming of the television program.

Although OCR recognized that BWH had implemented some patient privacy protections, OCR determined based on the times when BWH obtained written patient authorizations that BWH had impermissibly disclosed patients’ PHI to ABC employees during the production and filming of the television program, and also that BWH had failed to safeguard patients’ PHI appropriately and reasonably.

As with the BMC and BWH, a news story—this one posted on MGH’s own website—triggered OCR’s compliance review of MGH. The story indicated ABC News would be filming a medical documentary program at MGH. Like BWH, MGH reviewed and assessed patient privacy issues related to the filming and implemented various protections regarding patient privacy. Despite MGH’s efforts, however, OCR concluded that, like BWH, MGH had impermissibly disclosed the PHI of patients to ABC employees during the production and filming of the television program, and failed to take appropriate and reasonable steps to safeguard patients’ PHI from disclosure.

It is unclear exactly what PHI was disclosed, but OCR guidance suggests that allowing film crews into patient treatment areas is itself a disclosure of PHI, even if electronic or hard copy records are not provided or made visible to the film crew.

While not admitting liability, BMC, BWH and MGH entered into settlement agreements with OCR to resolve the alleged HIPAA violations. BMC paid $100,000; BWH paid $384,000; and MGH paid $515,000. Each entity also agreed to enter into and comply with the terms of a Corrective Action Plan (“CAP”). Among other things, the CAP requires the hospitals to provide workforce training that will incorporate OCR’s guidance on disclosures to film crews and media. This guidance is available online here. It is interesting that the two hospitals that had implemented some privacy protections paid the larger settlements. The size of the settlements may correspond to the sizes of the hospitals or their revenues.

This is the second round of HIPAA enforcement and settlement resulting from filming on hospital premises. In April 2016, OCR settled with New York Presbyterian Hospital for $2.2 million to resolve allegations the hospital violated HIPAA by permitting television crews to film patients without their consent for the show “NY Med.”

As a general rule, HIPAA requires covered entities to obtain written authorizations from all affected patients before filming—or even pre-production activity—begins. A disclosure would be deemed made at the time of the filming, or at the time when the production crew can observe patients within a treatment area of the facility. In addition to HIPAA, state medical confidentiality laws also may expose both healthcare providers and media entities to liability for privacy violations.