HIPAA In Front of the Camera

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

HIPAA and the media can be a risky combination for healthcare organizations. Prior HIPAA settlements imposed by the Office for Civil Rights have dinged hospitals for allowing reality television shows to be filmed in the hospital and speaking with a reporter to refute a patient complaint. The focus always comes back to maintaining privacy and respecting personal information about patients.

The complications that can arise with interacting with the media are coming to the fore again during the COVID-19 pandemic. The public is worried and wants as much information as possible, which in turn relies upon reports presented through the media. To obtain information, the media may reach out to a hospital or other healthcare organization or seek to bring crews to a location. All such actions and other alternatives just mean the possibility of exposing information about one or more patients.

Given the attention, OCR issued another round of pandemic driven guidance. The new guidance focuses on media interactions and, contrary to many other pandemic driven announcements, does not reveal a new relaxation of HIPAA requirements or enforcement discretion. Instead, OCR clearly reminds that all normal privacy protections remain in place for interactions with the media. Paraphrasing OCR, just because a public health emergency exists, does not mean that patient authorization can be skipped before sharing information with the media. The statement is a strong one in terms of respecting privacy, though very much focused on one particular scenario.

If the normal status quo remains for interactions with the media, what does that mean? In the simplest terms (without nuance), patient authorization is required before information can be shared with the media. If individual patient information will be disclosed, then the individual must be afforded the opportunity to permit the disclosure. The opportunity to authorize also means before any disclosure occurs, not after the fact (the issue that landed more than a few hospitals in hot water a few years ago in connection with a reality show). Additionally, an individual’s treatment cannot be conditioned upon granting the authorization (hopefully no organization would seek such an impediment at any time).

The simplistic description though carefully and intentionally does not state that patient authorization is always required. Provisions of the HIPAA Privacy Rule are why an absolute statement cannot be made. The Privacy Rule allows facility directory information to be provided without authorization unless the individual objects to being included in the directory. Additionally, an organization may disclose limited amounts of protected health information to obtain help in determining the identity of an unknown patient. The instances where disclosure is permitted are not wholesale permissions though, but only allow a small amount to be revealed.

Going through the details of interactions between healthcare organizations and HIPAA so far has not addressed when or how video can be done. HIPAA does not wholesale prevent the media from coming to a hospital, for example, and filming. The film crew could be placed in an area of the hospital where no patient information is visible or could be overheard, such as an interview room or other non-patient care area. In that instance, the healthcare organization could have an in-depth media interaction, provided that statements do not go into a danger zone.

The first scenario is a controlled environment though. What happens if a media crew shows up and sets up outside the facility or another spot near the facility? If the media crew is not seeking permission and just setting up camp, then the facility should do what it would in any instance. Specifically, use reasonable efforts to protect patient privacy and not make it easy for information to be obtained inadvertently. Such protections apply in any instances when unapproved filming or photography occurs and may be covered by a general policy that an applicable organization has adopted.

The OCR guidance goes to show that not all privacy expectations are relaxed during the pandemic. Even where there has been some relaxation, taking all reasonable steps and measures to respect and honor privacy is the recommended course of action. Respecting privacy engenders trust and loyalty.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.