$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations
Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules.
This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients.
Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital
Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a).
Brigham and Women’s Hospital (BWH) settled its HIPAA violations with OCR for $384,000. BWH allowed an ABC film crew to record footage between October 2014 and January 2015. Prior to filming, BWH conducted a review of patient privacy issues and provided the ABC film crew with HIPAA privacy training – The same training that was provided to its workforce. BWH also obtained written authorizations from patients. However, OCR determined that despite those measures, HIPAA Rules were still violated. In the resolution agreement, OCR wrote, “Based on the timing of when BWH received some written patient authorizations, BWH impermissibly disclosed the PHI of patients to ABC employees,” in violation of 45 C.F.R. § I64.502(a). BWH also failed to reasonably safeguard the PHI of patients: A violation of 45 C.F.R. § 164.530(c).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Massachusetts General Hospital (MGH) settled its HIPAA violations with OCR for $515,000. The hospital similarly allowed a film crew to record footage between October 2014 and January 2015. A review of patient privacy issues was also conducted, and the film crew was provided with the same HIPAA privacy training that MGH provides to its employees.
As was the case with BWH, OCR determined that 45 C.F.R. § I64.502(a) was violated as authorizations were received after an impermissible disclosure and MGH failed to appropriately and reasonably safeguard patients’ PHI from disclosure during the filming of the series in violation of 45 C.F.R. § 164.530(c).
In addition to covering the financial penalty, each of the three hospitals must adopt a corrective action plan which includes providing further training to staff on the allowable uses and disclosures of PHI to film and media.
“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”
HIPAA Enforcement in 2018
OCR had a record year for HIPAA penalties in 2016 when it agreed 12 settlements to resolve HIPAA violations and issued one civil monetary penalty. 2017 saw 9 settlements reached with HIPAA-covered entities and one civil monetary penalty issued.
2018 has seen a reduction in financial penalties for HIPAA violations, with only three penalties issued prior the September 20, 2018 announcement. These latest three settlements bring the total number of OCR HIPAA violation penalties for the year up to six.
HIPAA Penalties and Settlements Agreed with OCR in 2018
| Entity | Penalty | Penalty Type | Reason for Penalty |
| Boston Medical Center | $100,000 | Settlement | Filming patients without consent |
| Brigham and Women’s Hospital | $384,000 | Settlement | Filming patients without consent |
| Massachusetts General Hospital | $515,000 | Settlement | Filming patients without consent |
| University of Texas MD Anderson Cancer Center | $4,348,000 | Civil Monetary Penalty | Lack of encryption and impermissible disclosure of ePHI |
| Filefax, Inc. | $100,000 | Settlement | Impermissible disclosure of PHI |
| Fresenius Medical Care North America | $3,500,000 | Settlement | Multiple HIPAA Violations |
HIPAA Settlements with State Attorneys General in 2018
In addition to the penalties issued by OCR, there have been four settlements reached between HIPAA covered entities and state attorneys general in 2018.
| State | Covered Entity | Amount | Reason for Penalty |
| New York | Arc of Erie County | $200,000 | Online Exposure of PHI |
| New Jersey | Virtua Medical Group | $417,816 | Online Exposure of PHI |
| New York | EmblemHealth | $575,000 | Exposure of PHI in Mailing |
| New York | Aetna | $1,150,000 | Exposure of PHI in Mailing |
