Unauthorized Disclosure of PHI Leads to Nearly $1 Million in HIPAA Settlements

On Sept. 20, 2018, the HHS and OCR announced a settlement with the Boston Medical Center, Brigham Women’s Hospital and Massachusetts General Hospital totaling $999,000 in penalties for compromising the privacy of protected health information (PHI) during the filming of a documentary. In this breach, OCR alleged that these hospitals allowed ABC television network to film a documentary series without first obtaining authorization from patients. As part of the settlements, each hospital must create a corrective action plan that includes implementing a staff training on the topic and developing policies and procedures around photography, video and audio recording. The policies must include how to evaluate and approve requests from the media to film areas that aren’t otherwise open to the public.

As background, OCR guidance doesn’t allow health care providers to invite or allow media personnel into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or to otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area of whose PHI otherwise will be accessible to the media. Only in very limited circumstances does the HIPAA privacy rule permit health care providers to disclose PHI to members of the media without prior authorization signed by the individual. A similar (but more substantial) fine was imposed by OCR against New York Presbyterian hospital back in 2016 for a similar TV series with the same network.

Though each hospital denied wrongdoing and argued that they did receive consent from the patients, the OCR disagreed and stated that they will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization.

While employers don’t need to take any action based on this new assessed penalty, it’s a good reminder that PHI can come in many forms and all covered entities should be diligent to ensure HIPAA compliance.

HHS Posting »


Source: NFP BenefitPartners

Filed under: Abentras Blog

No comment yet, add your voice below!

Add a Comment

Your email address will not be published. Required fields are marked *

Comment *

Name *
Email *