September 22, 2019

September 20, 2019

Subscribe to Latest Legal News and Analysis

Three Boston Hospitals Pay Close to $1 Million in HIPAA Settlements for Disclosing Personal Health Information to Film Crews

On September 20, 2018, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced settlements with three Boston hospitals for disclosing Protected Health Information (PHI) to ABC News documentary filmcrews.[i] In total, the hospitals paid OCR $999,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.[ii] Boston Medical Center (BMC) paid $100,000, Brigham and Women’s Hospital (BWH) paid $384,000 and Massachusetts General Hospital (MGH) paid $515,000.[iii]

The three hospitals were each accused of impermissibly disclosing the PHI of patients to ABC employees, and BWH and MGH were also accused of failing to appropriately and reasonably safeguard their patients’ PHI from disclosure.[iv] In addition to paying the amounts mentioned above, each of the three hospitals was required to enter into Resolution Agreements (Agreements) and Corrective Action Plans (CAPs), as described in more detail below.[v]

Boston Medical Center

OCR initiated a compliance review based on information contained in a Boston Globe article dated January 12, 2015, that indicated BMC allowed ABC to film a documentary at the hospital.[vi] As a result of the review, OCR found that BMC impermissibly disclosed the PHI of patients to ABC employees during filming of the documentary.[vii] In addition to paying $100,000, BMC’s CAP requires it to ensure that every member of its workforce with access to PHI have access to and become familiar with its policy on filming patients and send the policy out to all members of its workforce along with the attachment of HHS’s frequently asked question related to filming patients at hospitals.[viii] MC must retain all documents relating to compliance of the CAP for six years and produce any documents upon HHS’s request.[ix] Any breach of the CAP could subject BMC to an additional civil money penalty pursuant to 45 C.F.R 160.[x]

Brigham Women’s Hospital and Massachusetts General Hospital

BWH and MGH each agreed to nearly identical restrictions as a result of the investigations conducted by OCR.[xi] OCR began investigating each entity following local news stories which indicated ABC News would shoot a documentary program at the hospitals.[xii] OCR found that both of these hospitals impermissibly disclosed the PHI of patients to ABC employees while the documentary was produced and failed to appropriately and reasonably safeguard their patients from PHI disclosure during production.[xiii] Because OCR found a higher level of culpability for these hospitals in comparison to BMC, they face a more cumbersome CAP.

Create Policies and Procedures

In addition to the standard CAP provisions, both entities must develop, maintain and revise written policies and procedures to address the specific issues found by OCR during its investigation.[xiv] The CAP identified the following six criteria these policies must contain:

  1. a specific prohibition on filming patients without written authorization;

  2. a process for evaluating and approving any requests from the media to film at the hospital;

  3. identification of agents or representatives employees could contact regarding HIPAA compliance in relation to media related activities;

  4. requirement that a hospital employee monitor all photography or filming of patients outside generally accessible areas;

  5. internal reporting procedures to report and promptly investigate violations of these policies; and

  6. application of sanctions against employees that violate this policy.[xv]

The hospitals will be required to provide these policies to HHS within 60 days of the effective date of the Agreement for review and final approval.[xvi] The new policies must be reviewed at least annually by the hospital, with revisions and updates made as needed.[xvii]

Distribute Policies and Train Employees

In addition to creating these new policies, the hospitals will be required to distribute them to employees within 90 days of final HHS approval, and provide a copy to all new employees within 30 days of beginning employment with the hospital.[xviii] Within 90 days of the policies becoming finalized, each employee must also receive training to become familiar with the policies in order to carry out their positions with the hospital.[xix] Any new employee must receive training within 60 days of beginning employment.[xx] After the initial training, each employee must receive refresher training annually.[xxi] In addition, whenever an employee fails to comply with the newly created policies, the hospitals must provide a report to HHS to include the description of the infraction and what corrective action was taken.[xxii]  

Implementation Report

The hospitals must also provide an implementation report containing the following elements within 120 days of HHS giving final approval of the newly created policies and procedures summarizing their efforts to comply with their respective CAPs:

  1. an attestation by an owner or officer of the hospital that the new policies are being implemented;

  2. a copy of all training of materials and a summary of the training, including topics that were covered;

  3. an attestation by an owner or officer that employees have completed the training required;

  4. an attestation by an owner or officer that the hospital has complied with all obligations of the CAP;

  5. a summary of all employee violations of the new policies; and

  6. an attestation signed by an owner or officer that he or she has reviewed the Implementation Report and believes it to be truthful and accurate.[xxiii]

Lessons to Be Learned

These settlements serve as a reminder of the importance of having and enforcing HIPAA policies for dealing with the media. Of particular note, however, is how the investigations began in the first place. Each of OCR’s investigations began as a result of information OCR found in news articles indicating film crews would be at these hospitals.[xxiv] This is an important lesson to hospitals that media announcements and public relations efforts may backfire and raise flags with regulators unless handled appropriately.

The disparity in penalties faced by BWH and MGH in relation to BMC also serves as a reminder of the importance to appropriately and reasonably safeguard patients from disclosure of their PHI and in having proper HIPAA policies in place when facing allegations of violating the Privacy Rule.

Every covered entity should make sure it has proper policies and procedures in place to safeguard patient PHI. The policies and procedures outlined by HHS in the BWH and MGH settlements offer a good blueprint to creating a compliant policy.

Should you have any questions regarding your own HIPAA policies and procedures or would like assistance creating new ones, please contact a member of Dinsmore & Shohl’s Health Care Practice Group.

[i] Read the HHS announcement at this link: (“HHS Boston Announcement”).

[ii] HHS Boston Announcement.

[iii] HHS Boston Announcement.

[iv] See the three resolutions agreements at these links:

Boston Medical Center: (“BMC Settlement”).

Brigham and Women’s Hospital: (“BWH Settlement”). 

Massachusetts General Hospital: (“MGH Settlement”).

[v] HHS Boston Annoncement.

[vi] BMC Settlement at 1; follow link to the referenced article here: (“Globe Article”).

[vii] BMC Settlement at 1.

[viii] Id.

[ix] Id.

[x] Id. at 6.

[xi] BHW Settlement; MGH Settelement.

[xii] BWH Settlement at 1; See the article at this link:

[xiii] BWH Settelment at 1-2; MGH Settlement at 1-2.

[xiv] BWH Settelment at 6-7; MGH Settlement at 7.

[xv] BWH Settelment at 6-7; MGH Settlement at 7.

[xvi] BWH Settelment at 7; MGH Settlement at 8.

[xvii] BWH Settelment at 8; MGH Settlement at 8.

[xviii] BWH Settelment at 8; MGH Settlement at 8.

[xix] BWH Settlement at 8; MGH Settlement at 8-9.

[xx] BWH Settlement at 8; MGH Settlement at 9.

[xxi] BWH Settelment at 8; MGH Settlement at 8.

[xxii] BWH Settelment at 8; MGH Settlement at 8.

[xxiii] BWH Settelment at 9-10; MGH Settlement at 9-10. The sixth requirement only applies to MGH.

[xxiv] BMC Settlement at 1; BWH Settlement at 1; MGH Settlement at 1.

© 2019 Dinsmore & Shohl LLP. All rights reserved.


About this Author

Matthew Arend Litigation Attorney Dinsmore Shohl, privacy, data security

Matt is a member of the Health Care Practice Group, focusing his practice on all aspects of federal and state privacy and data security issues, including HIPAA compliance, breach analyses, and governance. He also routinely advises clients on compliance with federal and state anti-kickback laws, Stark law, Sunshine Act, Medicare Secondary Payer laws, pharmaceutical marketing rules and other regulatory matters. Additionally, his thorough knowledge of the healthcare arena enables him to counsel clients through audits and investigations, as well as providing training and...

Tyler Simms, Dinsmore Law Firm, Columbus, Corporate and Healthcare Law Attorney

Tyler focuses his practice on health care law.

He received his J.D. from The Ohio State University Moritz College of Law and his experience includes researching topics related to health care, litigation and alternate dispute resolution.

While in law school, he was an articles editor on The Ohio State Law Journal and an executive board member of the Moot Court Governing Board. He also competed on the national civil rights and liberties moot team.

Jennifer Mitchell, health care practice group partner, Dinsmore Shohl, law firm,

Jennifer is a Partner in the Health Care Practice Group and leads the firm’s HIPAA Privacy and Security practice and initiatives. In her HIPAA practice, she works with clients to minimize the risk of privacy and data security issues, assisting with all aspects of HIPAA privacy and security compliance, governance, audits/investigations, breach analyses, training and strategic planning. She has a thorough understanding of federal and state privacy and confidentiality laws and has served as a health care privacy expert witness. 

Within the...

Eric J. Plinke, Dinsmore Law, Health Care Lawyer, Corporate Attorney

Eric Plinke is a Partner in the Corporate Department and Health Law Practice Group, and he routinely advises corporate and individual clients regarding a wide-range of health care industry legal issues. He has counseled clients in practice formation and acquisition, hospital and joint venture transactions, hospital and medical practice affiliations, contract review and preparation, compliance programs, HIPAA regulations, scope of practice issues, telemedicine and Stark law and Anti-kickback statutes, as well as significant experience counseling in ambulatory surgery centers and other joint...