On September 20, 2018, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced settlements with three Boston hospitals for disclosing Protected Health Information (PHI) to ABC News documentary filmcrews. In total, the hospitals paid OCR $999,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Boston Medical Center (BMC) paid $100,000, Brigham and Women’s Hospital (BWH) paid $384,000 and Massachusetts General Hospital (MGH) paid $515,000.

The three hospitals were each accused of impermissibly disclosing the PHI of patients to ABC employees, and BWH and MGH were also accused of failing to appropriately and reasonably safeguard their patients’ PHI from disclosure. In addition to paying the amounts mentioned above, each of the three hospitals was required to enter into Resolution Agreements (Agreements) and Corrective Action Plans (CAPs), as described in more detail below.

Boston Medical Center

OCR initiated a compliance review based on information contained in a Boston Globe article dated January 12, 2015, that indicated BMC allowed ABC to film a documentary at the hospital. As a result of the review, OCR found that BMC impermissibly disclosed the PHI of patients to ABC employees during filming of the documentary. In addition to paying $100,000, BMC’s CAP requires it to ensure that every member of its workforce with access to PHI have access to and become familiar with its policy on filming patients and send the policy out to all members of its workforce along with the attachment of HHS’s frequently asked question related to filming patients at hospitals. MC must retain all documents relating to compliance of the CAP for six years and produce any documents upon HHS’s request. Any breach of the CAP could subject BMC to an additional civil money penalty pursuant to 45 C.F.R 160.

Brigham Women’s Hospital and Massachusetts General Hospital

BWH and MGH each agreed to nearly identical restrictions as a result of the investigations conducted by OCR. OCR began investigating each entity following local news stories which indicated ABC News would shoot a documentary program at the hospitals. OCR found that both of these hospitals impermissibly disclosed the PHI of patients to ABC employees while the documentary was produced and failed to appropriately and reasonably safeguard their patients from PHI disclosure during production. Because OCR found a higher level of culpability for these hospitals in comparison to BMC, they face a more cumbersome CAP.

Create Policies and Procedures

In addition to the standard CAP provisions, both entities must develop, maintain and revise written policies and procedures to address the specific issues found by OCR during its investigation. The CAP identified the following six criteria these policies must contain:

  1. a specific prohibition on filming patients without written authorization;
  2. a process for evaluating and approving any requests from the media to film at the hospital;
  3. identification of agents or representatives employees could contact regarding HIPAA compliance in relation to media related activities;
  4. requirement that a hospital employee monitor all photography or filming of patients outside generally accessible areas;
  5. internal reporting procedures to report and promptly investigate violations of these policies; and
  6. application of sanctions against employees that violate this policy.

The hospitals will be required to provide these policies to HHS within 60 days of the effective date of the Agreement for review and final approval. The new policies must be reviewed at least annually by the hospital, with revisions and updates made as needed.

Distribute Policies and Train Employees

In addition to creating these new policies, the hospitals will be required to distribute them to employees within 90 days of final HHS approval, and provide a copy to all new employees within 30 days of beginning employment with the hospital. Within 90 days of the policies becoming finalized, each employee must also receive training to become familiar with the policies in order to carry out their positions with the hospital. Any new employee must receive training within 60 days of beginning employment. After the initial training, each employee must receive refresher training annually. In addition, whenever an employee fails to comply with the newly created policies, the hospitals must provide a report to HHS to include the description of the infraction and what corrective action was taken.

Implementation Report

The hospitals must also provide an implementation report containing the following elements within 120 days of HHS giving final approval of the newly created policies and procedures summarizing their efforts to comply with their respective CAPs:

  1. an attestation by an owner or officer of the hospital that the new policies are being implemented;
  2. a copy of all training of materials and a summary of the training, including topics that were covered;
  3. an attestation by an owner or officer that employees have completed the training required;
  4. an attestation by an owner or officer that the hospital has complied with all obligations of the CAP;
  5. a summary of all employee violations of the new policies; and
  6. an attestation signed by an owner or officer that he or she has reviewed the Implementation Report and believes it to be truthful and accurate.

Lessons to Be Learned

These settlements serve as a reminder of the importance of having and enforcing HIPAA policies for dealing with the media. Of particular note, however, is how the investigations began in the first place. Each of OCR’s investigations began as a result of information OCR found in news articles indicating film crews would be at these hospitals. This is an important lesson to hospitals that media announcements and public relations efforts may backfire and raise flags with regulators unless handled appropriately.

The disparity in penalties faced by BWH and MGH in relation to BMC also serves as a reminder of the importance to appropriately and reasonably safeguard patients from disclosure of their PHI and in having proper HIPAA policies in place when facing allegations of violating the Privacy Rule.

Every covered entity should make sure it has proper policies and procedures in place to safeguard patient PHI. The policies and procedures outlined by HHS in the BWH and MGH settlements offer a good blueprint to creating a compliant policy.

Should you have any questions regarding your own HIPAA policies and procedures or would like assistance creating new ones, please contact a member of Dinsmore & Shohl’s Health Care Practice Group.