The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced three settlements arising out of the alleged impermissible disclosure of protected health information (PHI) during the production and filming of Boston Med, a popular television program, on the hospitals’ premises. These settlements serve as an important reminder that providers must remain vigilant in their interactions with the media and entertainment industry when patients and their PHI may be involved.
Guidance and Relevant Enforcement History
HIPAA generally prohibits providers from disclosing PHI unless the patient or personal representative authorizes the disclosure or the disclosure fits an exception. In 2016 and in the aftermath of another settlement involving an alleged impermissible disclosure to the media, the OCR developed guidance on this topic in the form of a Frequently Asked Question (FAQ). In the guidance, the OCR makes it clear that prior written authorization is needed from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. The OCR also noted in the FAQ that it is not sufficient to request or require the media to mask identities using techniques such as “blurring, pixilation or voice alteration software.” Further, the “provider must ensure that reasonable safeguards are in place to protect against impermissible disclosures or to limit incidental disclosures of other PHI that may be in the area but for which an authorization has not been obtained.”
The Settlements and OCR Findings
The settlements, which were announced on September 20, 2018, involved Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH), and Massachusetts General Hospital (MGH) and resulted in the hospitals paying a collective resolution amount of $999,000 to the OCR. The resolution agreements provide that OCR initiated a compliance review of each hospital triggered by a news story indicating that a film crew had been or would be filming the documentary at the hospitals. In the cases of BWH and MGH, the resolution agreements note that the hospital reviewed and assessed patient privacy issues related to the filming and implemented various protections, which included providing the film crew with HIPAA training. The OCR found, however, that in these two situations, based on the timing of when written patient authorizations were received, the hospitals had impermissibly disclosed the PHI of the patients during production and filming. Presumably, the written HIPAA compliant authorizations were secured after production and filming, not before. The OCR also found that BWH and MGH failed to appropriately and reasonably safeguard patient PHI from disclosure during the filming. The BMC resolution agreement provides less background (and less onerous requirements) than the other two, noting only that the OCR found that BCM impermissibly disclosed the PHI of patients during filming and production.
As part of the settlement, each hospital entered into a corrective action plan (CAP) with the OCR. The CAPs for MGH and BWH require each hospital to develop, maintain and revise written policies and procedures to address the alleged impermissible disclosures, by including:
- A prohibition on use or disclosure of PHI for photography, video recording, or audio recording that is not otherwise permitted or required by the Privacy Rule before a valid authorization is obtained from the subject patient;
- A process for evaluating and approving requests from media to film in areas not publicly accessible;
- Identification of hospital personnel who workforce members may contact in the event of an inquiry or concern regarding media and other similar requests;
- A requirement that all hospital workforce members actively monitor all photography, video recording, and audio recording conducted on premises by media in areas not publicly accessible;
- Internal reporting procedures requiring workforce members to report to the designated person or office any violations of these policies and procedures; and
- Appropriate sanctions against workforce members who fail to comply with these policies and procedures.
Among other requirements, the MGH and BWH CAPs also require training for workforce members whose job function involves reviewing and approving access or filming by media or who work with the media. The training must cover the related media and filming topics that will be covered in the policies and procedures and employees must certify to completion of the training.
Practical Tips for Providers in Preparing for Media and Hollywood Interactions
In light of the recent settlements and the existing guidance, providers must exercise caution when navigating interactions with the media and the entertainment industry. In the cases involving MGH and BWH, the hospitals attempted to take steps in advance of filming to comply with HIPAA by reviewing policies and procedures and training the film crew on HIPAA practices. Notably, these steps were insufficient. Providers must weigh the benefits of the disclosure and their confidence that they are HIPAA compliant against the risks that the interaction with the media may not be compliant. Further, any patient authorizations for a disclosure must be obtained prior to the disclosure (and not after the disclosure, as the facts in the MGH and BWH resolution agreements suggest occurred).
In preparation for media and entertainment industry requests and visits, providers should:
- Develop policies and procedures that address requests from the media and similar outlets that involve the potential disclosure of PHI.
- Develop a process for the in-take of all media, film crews and similar requests to be on the premises. The process should evaluate the need for any agreements between the parties, and specify the space to be accessed and who will escort the visitors. The process should also address the process for removing PHI from the area, among other considerations.
- Consider creating a special authorization unique for disclosures to the media, film crews, and similar outlets that clearly describes the information to be disclosed, the purpose of the disclosure, and identifies those to whom the disclosure may be made.
- Train physicians and workforce members on the policies and procedures for interacting with the media and Hollywood.
Improper disclosures such as those to the media and other film crews pose significant risks to the patients who are the subject of the information and the providers who make the improper disclosures. Risks to providers can range from civil litigation and OCR and state attorney general investigations to bad publicity. Providers can manage their risk and increase compliance by developing policies and procedures that protect patient privacy in compliance with HIPAA and by training their workforce on media and public affairs communications.