On September 20, the Department of Health and Human Services Office for Civil Rights (OCR) announced separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH) with penalties totaling $999,000. In each instance, ABC News filming a medical documentary prompted OCR to conduct “a compliance review.” In all three separate investigations, OCR found deficiencies.
While the BMC settlement agreement does not provide any details on the specifically alleged improper conduct, the BWH and MGH agreements note that both hospitals took measures to protect patient information but nonetheless OCR found the efforts to be inadequate. In those agreements, OCR implies that BWH and MGH obtained at least some written authorizations, but disclosed information to the film crews before obtaining those authorizations.
In addition to the penalty, each hospital is subject to a corrective action plan requiring each to revise policies and train staff. The corrective action plans refer the hospitals to the following frequently asked question on OCR’s website: “Can health care providers invite or arrange for members of the media, including film crews, to enter treatment areas of their facilities without prior written authorization?” OCR added this FAQ in 2016 after reaching a settlement with New York-Presbyterian Hospital for ABC News’ filming of “NY Med.” In its response to the FAQ, OCR instructs that, for non-public areas of a hospital, a written authorization is required “from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media.”
This is a great reminder that providers must be vigilant in protecting patient information, even when patients seem to agree (e.g. ensuring that patients sign authorizations before making any disclosures). OCR has the authority to initiate investigations or “compliance reviews” without patient complaints. And, as is evident here, OCR will pursue enforcement actions based on its findings.
Keeping up with HIPAA/HITECH regulations is essential. Failure to comply can be costly, with fines ranging from $100 to $50,000 per instance -- to over $4 million. Criminal penalties range from up to one to ten years in prison. And audits are increasing every year. For more information on HIPAA Compliance, visit the HIPAAcraticRx.