Lights, Camera…HIPAA

In the age of social media and reality TV, some people document their surroundings and behaviors regularly. Many of us think nothing of pulling out our cellphones to capture moments or otherwise memorializing our lives. But HIPAA-covered entities[1] must be proactive about the use of photographic and recording devices to ensure that they are in compliance with federal regulations.

Photography or filming that is not treatment-related should be prohibited in health care facilities, especially treatment areas, unless there is prior written authorization from the patient(s). If an entity determines that it is necessary to photograph or record on-site, they must ensure that they are taking appropriate steps to ensure that their process is HIPAA compliant. That is why it is so important for health care entities to have adequate, accessible and updated policies and procedures, along with ongoing training to ensure that their workforce is aware of the conditions and restrictions that apply in the health care setting.

This may be best illustrated by a recent $999,000 civil monetary settlement that the Department of Health and Human Services, Office of Civil Rights (OCR) entered into with three health care entities collectively. Those entities included: Boston Medical Center (BMC), a Disproportionate Share Hospital; Brigham and Women’s Hospital (BWH), a major teaching hospital of Harvard Medical School; and Massachusetts General Hospital (MGH), a not-for-profit academic medical center. These incidents stemmed from the filming of an ABC television documentary series. In each instance, the entity allowed ABC network to film on-site without first obtaining HIPAA authorizations from patients. The filming crew had access to protected health information (PHI) as they performed their duties.

Each of the three health care entities was assessed civil monetary penalties based on their non-compliant behavior. In the cases of BWH and MGH, the entities took steps to require the filming crew to view the HIPAA training that they require of their workforce members and believed that to be sufficient. While viewing a HIPAA training video may have educated the filming crew on some basic HIPAA requirements, since the filming crew was not considered a part of the health care entity’s workforce, the regulations specifically require patient consent prior to PHI being viewed or accessed by non-workforce members.

In addition to the monetary assessment, each entity was required to enter into a corrective action plan which required them to develop, revise and maintain appropriate policies and procedures relating to photography, film and media. They were also required to provide additional training so that workforce members were fully aware of the updated standards.

Training Videos and Public Relations Materials

There may be instances in which health care entities desire to produce training videos or develop public relations materials. When this occurs, the entity should enter into a Business Associate Agreement with the individual or company that is being hired to produce or develop the product. The Business Associate Agreement would require the individual or company being hired to comply with HIPAA standards and only utilize PHI for the purposes outlined in the agreement. Additionally, if specific patients are being interviewed or having their images captured, the entity should attain a written authorization from those patients before any material, images, or PHI regarding that patient can be disseminated.

It is extremely important that health care providers carefully consider their policies on photography, filming and media. It is also necessary to ensure that those policies and procedures are communicated to their workforce to ensure compliance. Should your entity have questions about creating or revising policies and procedures in accordance with HIPAA regulations, they should contact a health care compliance professional for guidance.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

[1] HIPAA covered entities include health care providers, health plans and health care clearinghouses who transmit any health information in electronic form in connection with a covered transaction. 45 CFR 160.103.