In this episode of The Risk Perspective, we are joined by David Holtzman, Executive Advisor at CynergisTek, and industry-recognized HIPAA expert. We are also excited to be joined by a new guest, Andrew Mahler, Senior Manager of Privacy and Compliance Services at CynergisTek. Andrew has a background serving as an Investigator for the U.S Department of Health and Human Services Office for Civil Rights (OCR).
Together, Andrew and David highlight and discuss major HIPAA violations in the past, speak about the importance of OCR regulations and involvement, as well as talk about how HIPAA disclosures to the media have changed during the time of COVID-19. This 34-minute episode deep dives into HIPAA media disclosures and is sure to benefit all listeners from marketing specialists to CISO.
Links To Content and Articles:
- Read David Holtzman’s blog ‘OCR Warns Hospitals: No News Media in Treatment Areas Without Patient Authorization‘ written on MAY 27, 2020.
- David Holtzman was recently quoted in HealthcareInfoSecurity’s article ‘Inside Job at Clinics: Mobile Phone Used for Fraud‘, written by Marianne Kolbasuk McGee to discuss potential risks posed by employees inappropriately using personal devices during COVID-19.
- For a full repository of COVID-19 crisis resources, visit our CTEK COVID-19 Communications page for news, articles, podcasts, and more.
- Contact us with any questions regarding the regulatory changes during the COVID-19 crisis.
Hello and welcome to CTEK Voices; The Risk Perspective, I’m your host, Lauren Frickle.
I’m also joined by a new guest, Andrew Mahler, Senior Manager of Privacy Services, Privacy, Managed Services, and Compliance Services at CTEK. Andrew brings extensive enforcement and operational leadership experience to today’s conversation. Andrew has served as an investigator for the US. Department of Health and Human Services, Office for Civil Rights (OCR), holds and has held many positions as Chief Privacy Officer for large universities and academic medical centers, and has published and presented on HIPAA related topics.
Together, David and Andrew will discuss today’s topic on HIPAA disclosures to the media.
Hello, David and Andrew. Welcome to the show.
Thank you, Lauren, this is David, and I’m really pleased to be here.
So today, we’re here to talk about issues that/or have come about someone through the recent, an ongoing pandemic involving 19, but also sort of longstanding questions and concerns regarding, how healthcare organizations and health care providers who are subject to the HIPAA privacy rule can make disclosures to the media. And steps, that must be taken to protect the privacy of patients and their families, when making those disclosures.
So, as more and More COVID-19 patients have come through. Hospital Doors. Local and national media outlets have been led in to share sometimes. Intimate looks at the battle to save lives in emergency rooms, and critical care units.
Doctors and nurses are also turning to social media to give a peek into the front lines that they are experiencing and caring for patients. But allowing members of the media, including film crews, and other production assistants to enter treatment areas of healthcare facilities runs a high risk of exposing patients for their health information.
These disclosures violate the HIPAA Privacy Rule unless the healthcare provider or the hospital has obtained the prior written authorization, signed by each individual who is or will be, in the treatment areas that will be made accessible to the media. It’s important to remember that the HIPAA privacy rule standards allow for the disclosure of PHI without the authorization of the patient.
When the patient is not able to communicate for themselves, these permissions can be made by the personal representative designated by the individual.
The HIPAA Privacy Rule only allows disclosures without authorization, only when required or permitted by the rule. The safe courage provisions of the privacy rule require covered entities and their business associates to put into place appropriate administrative, physical, and technical policies, or safeguards to prevent the unauthorized disclosure of PHI.
So, Andrew, was wondering what thoughts that you might have about to introduce this topic?
Sure, David. Thanks so much for that great introduction!
This is a really timely and fantastic topic to be discussing, you know, as we are currently working our way through the COVID-19 Public Health Crisis and Pandemic. And I know that a lot of privacy and compliance officers and others, that are involved in compliance, legal, and risk decisions, are thinking through, you know, these questions and issues around allowing media and the press and others into these client and sensitive spaces.
So, a few things that I think would be important for us to touch on, just as we start diving a bit deeper on this issue, is to talk through a few of the more important and recent enforcement cases made by the Office for Civil Rights.
And I’ll touch on a couple, and then, David, I’m hoping maybe you’ll, you’ll be willing to dive a bit deeper with some other cases that may not be as familiar to some of our listeners.
The first case, which is probably on the forefront of most privacy officer’s minds, when they’re thinking about enforcement related to disclosures to the media is the case involving New York-Presbyterian Hospital.
In April 2016, New York-Presbyterian Hospital accepted a resolution agreement and a corrective action plan that included a payment of over $2 million involving the disclosure of Protected health information or PHI, resulting from the filming of an ABC network series called New York Med. The investigation by OCR, in this case, found that the film crews and television production staff had unfettered access to the hospital’s treatment areas. Which included Patients, PHI which was in the form of images and so forth and disclosed without first obtaining a valid authorization from those patients.
And we’ll talk a bit further (as we move into this podcast) around valid authorizations and what’s included in a valid, valid authorization why these documents are so important. And in this case, it actually led OCR to produce guidance in the form of an FAQ that specifically addressed how the HIPAA rules apply to situations involving media access to PHI, and it included clearly articulating the fact that print reporters and film crews are not allowed into treatment areas without a prior authorization from patients.
Another example was in September 2018, in which three hospitals in Boston reach settlements with OCR resolving HIPAA, violations growing out of a second, ABC television production.
The Massachusetts General Hospital, Brigham, and William’s Hospital in Boston Medical Center at each allowed filming and production of a documentary in which patients have been filmed along with physicians discussing their treatment. And, like in the earlier case, this was also done without first obtaining a valid authorization from each of the patients.
As the director of OCR put it: “Patients in hospitals expect to encounter doctors and nurses when getting treatment. Not film crews recording them at their most private and vulnerable moments.”
So with that, David, I’m hoping you may have a couple of other examples that may take us even a bit deeper into some of these enforcement examples.
Thank you, Andrew those are great examples, and that’s a very powerful statement that attempts to establish the balance between healthcare providers and patients regarding the use of their information outside of treatment, in sharing with the media.
But these in these situations are not limited to television production, or in the large hospital environment. We see these opportunities occurring, and these problems cropping up in the day-to-day activities of small physician practices and involving other types of public media, including print, media, and social media.
An example of this is, was found in a case that OCR resolved in November of 2018, in which a resolution agreement with a small physician practice was put into place because a physician had disclosed PHI to a reporter after a patient complained to a local television station about the provider’s practice.
OCR’s investigation found that the patient had contacted a TV station in the local community concerning a dispute with the physician. The reporter then contacted the physician asking for the physician to comment on the dispute.
And in responding, the physician disclosed the patient’s PHI without first obtaining the authorization of the patient. In the mind of the physician, the physician told OCR that they thought it was only fair, that they had an opportunity to defend themselves from the charges and allegations that were made by the patient.
Interestingly, in this case, the practice’s Privacy Officer had become aware of the situation and had provided physician with direct and written advice concerning the organization’s policies and procedures, which set guidelines for how employees and workforce members, including the physicians could use and disclose PHI in situations with the media.
But, in this event, the physician disregarded the advice, they had been provided by the Privacy Officer (their own internal compliance officiant) and went ahead and made the disclosure to the media.
So, as a result, OCR came down really hard in this case. In fact, this is the first example of OCR using its enforcement power against a physician’s practice regarding a disclosure to the media.
They paid a relatively small penalty of $125,000, but they had a rather lengthy corrective action plan that included ensuring that physicians understood what the privacy rules require and that the Physician Practice discipline it’s physicians when they violated the internal policies and procedures.
In October 2019, OCR resolution brought to light, challenges involving social media usage by Healthcare providers. Many health care providers have relationships on social media.
Whether they be informal relationships like, a Facebook page, in which they have a chat room, or sometimes communicate with patients, or they have a paid advertising space, such as on Yelp. In which they advertise their practice, and through the social media application, there is an opportunity for third parties, and others who are using the application to post comments and thoughts about the healthcare practice.
In this particular case, the dental practice agreed to a resolution agreement with the OCR to resolve HIPAA violations that arose when a patient’s PHI was disclosed through one of these social media posts.
On a number of occasions, a patient of the health care provider had posted a review on the provider’s Yelp page. A webpage that the dental practice had purchased as a part of its marketing efforts. The dentist had responded to critical comments posted by an individual who said they were a patient by releasing information about the treatment that, the patient had received without first obtaining the authorization of the individual.
OCR called out the practice for failing to have a policy and procedure regarding disclosure of PHI to ensure that its social media interactions protected the PHI of its patients.
So, Andrew, those are just a couple of examples of the challenges that patients and healthcare providers face in dealing with the media. Either through one-on-one interactions or to the social media space.
So, Andrew was wondering if you have any thoughts about what some of the general rules may be recording these issues?
Sure, I do.
Something I’d like to say even before I dive into a bit more about the rules that guide some of these decisions around how an entity or an organization uses or discloses PHI, is I just would like to point out, you know, as you talked through those two cases, we’re really talking about a physician or an organization responding to a patient care question, or complaint, or other types of information shared directly by a patient.
And I know that for a lot of organizations that we work with, it’s a scary balancing test for them to figure out how to best negotiate and, respond to questions, concerns issues raised by patients, Whether it’s on Yelp, potentially, in the media, or Facebook or Twitter, and how they can best do that in a way that both protects the organization as well as protects the privacy and security of that patient.
And I hope that as we talk a bit more, you know, during this particular podcast, maybe some of those answers will, come to light. And, David, I’m sure you’ll have some, some thoughts and suggestions for organizations as they think through that, that balancing test.
So the general rule, when an organization is thinking about or considering whether or not they’re going to respond to a request from the media or permit the media, or press to actually come on site, come into, you know, the treatment areas come into other areas of the hospital or, or the organization. Is that they really need to be thinking about signed valid authorizations from each patient.
A written authorization of the patient that is going to be present in that treatment area or is expected to be in the treatment area must be obtained prior to disclosing or allowing any access to their PHI. Healthcare providers cannot invite or allow media personnel, which, of course, includes film crews into treatment or other areas of the facilities where PHI will be accessible.
And some examples of PHI, just for, for some of our listeners is that it’s, you know, we’re not just talking about written PHI, you know that may be on papers in the form of a letter or a document and we’re not just talking about electronic PHI that may be in the form of the health record. And in some cases, you know, you may have seen a news story that prominently features, you know, images of a computer screen with the medical record. That would be an example of electronic PHI.
But we’re also talking about verbal PHI. So, are the staff members or the workforce members discussing patient care treatment? Are they disclosing any of those individual identifiers as part of that conversation? And is there any other type of visual or audio? So, is there a recording of the patient’s voice as they’re discussing, for example, codes, at 19 symptoms?
In these cases, whether it’s written, verbal, and electronic audio, it is vital that a covered entity that a provider or a health system, obtain that written, signed authorization from each patient. And as we continue this conversation, I think we’re all understanding that this is within the context of our current public health crisis.
You know, I know, for myself, I have seen news stories that, you know, that involves the filming of a patient care area within a hospital involving the filming of a testing site, where they’re doing COVID 19 testing, And, of course, lots of print journalism about how this testing is being performed and how many people are being treated at various facilities. That sort of thing.
And you know, we understand that these things are important for us to know as a community and as a country, thinking about how we’re treating and thinking about this current pandemic. We know that in light of that OCR has made some recent decisions to relax some enforcement of the HIPAA standards for healthcare providers that are operating some of those testing sites.
And some of that relaxed enforcement removes the threat of the agency, levying certain fines or penalties for violation of the Privacy breach notification Rule. When that covered entity, that organization allows members of the media to observe or film treatment associated with services that are provided alongside or contemporaneously to the testing service.
So, that’s kind of the general gist of where OCR has been headed over the past couple of months. And David, I’m hoping that you may have some additional insight to speak a bit more to some of the enforcement decisions that OCR is currently thinking about.
Thanks, Andrew, and I think you make a really good point, and just to lay the foundation here a little bit further out, what we first saw was OCR making a very strong statement In response to images that were being broadcast through many media outlets of treatment that was being provided in healthcare spaces, particularly hospitals that was being filmed through media crews, as well as the recordings that were being made by individual physicians and in, in frontline health care providers.
And OCR was making a very strong statement that these should not be happening because the privacy rule makes it extremely difficult for news to be made out of the treatment area. It just disrupts the balance in the privacy between the public’s need to know and the patient’s right to privacy.
And, to OCR’s credit, I think they got it right. I do think that there is a time and place for, media access, to raise public awareness as to the importance of the pandemic, and, of its impacts on our health care system, and on individuals, who are afflicted with, coronavirus.
By the same token, OCR seems to have muddied the waters, with its recent Notice of Enforcement discretion for community-based testing sites, during the COVID 19 nationwide public health emergency.
So, to, just, kind of, lay a picture. We’ve seen, in many communities, testing facilities that are being sponsored by health care providers, hospitals, by public organizations, whether they be health departments in, where I live in Maryland, the state has set up actual testing centers that are operated at State Facilities.
And OCR has established this sort of exception, this zone, that tells these organizations that may or may not be subject to HIPAA, that the same rules don’t apply to them.
And through their notice of enforcement discretion, they’re saying they encourage, but do not require, that covered entities and business associates, who are subject to the HIPAA privacy rules that are operating these community-based testing sites. That they should put into place physical safeguards to shield patients from view during the testing process. As well as to provide a buffer to keep the media away from patients, at of these community-based testing sites, or CBTS’s.
And, I think this creates a really uncomfortable distinction for folks and confusion, situation, as well as sort of creates a problem, or a concern for those individuals who are going to these testing sites, who may not realize that they are making a choice to put their privacy at risk and the same privacy protections that would be in place if the services were within the four walls of the healthcare provider, or not in place when the services are conducted out in the parking lot.
So, generally, there are very limited situations in which the HIPAA Privacy Rule permits a covered entity to disclose, limited PHI to the media without first obtaining a HIPAA authorization.
So, for example, a covered entity may seek to have the media help identify or locate the family of an unidentified and incapacitated patient in its care. In that case, the covered entity may disclose limited PHI (the minimum necessary amount) about the incapacitated patient to the media, if in the healthcare provider’s professional judgment doing so isn’t the patient’s best interest.
In addition, covered entity may disclose a patient’s location in the facility in condition (in general terms) do not communicate specific medical information about the individual to any person, including the media without first obtaining a HIPAA authorization or the individual has not objected to his or her information being included in the facility directory in the media, a representative or other person asks for the individual by name.
So, this situation will arise when a member of the media, is calling a healthcare organization, usually a hospital and asks for a patient by name, and asks, how are they doing or are they in the facility?
And if the patient or their personal representative has not objected to information about that individual being included in the hospital directory, then the health care organization following its usual policies and procedures can disclose information about that individual limited to what he would normally include in the hospital directory, to the media outlet, or anyone else who contacts the hospital, and asks for the individual, by name.
This is a limited amount of information relating to the patient’s name, their general, overall condition and that is it! It can’t go into the details of the diagnosis. It can’t go into the details of the circumstances into how they came to the attention of the healthcare organization and hospital. Nor, can they share additional information about the progress, or prognosis for further treatment. So, it’s very limited about.
It’s also important to remember that hospitals and other healthcare providers do not have to provide a directory. It is permitted by the privacy rule, but it’s not required. What is required, is the information must be limited and any additional information can only be disclosed with the authorization of the individual or their personal representative.
So, a health care provider may also utilize the services of a contract film crew to produce training videos, or public relations materials on the providers behalf, if certain protections are put into place.
The patients are to be identified by the provider and interviewed by a film crew. Or, if PHI I might be accessible during filming or otherwise disclosed. The provider must enter into a business associate agreement with the film crew, acting as its contractor, or vendor, if you will, for the development of these training materials. They are acting as a business associate.
Among other requirements, the business associate agreement must ensure that the film crew will safeguard the PHI it obtains, only to use or disclose the PHI for the purposes provided in the agreement and return or destroy any PHI after the work for the healthcare provider has been completed.
As a business associate, the film crew must comply with the HIPAA Security Rule in a number of other provisions in the Privacy Rule, including the rules restrictions on the use and disclosure of PHI.
In addition, authorizations from patients whose PHI is included in any materials would be required to be obtained before such materials are posted online, printed in brochures that are accessible to the public, or otherwise publicly disseminated.
Andrew, we’ve kind of gone through some of the examples, for when these situations arise and what problems can crop up when the healthcare provider, is communicating with the media.
Do you have some thoughts on what some approaches that organizations can take to plan for? Or be proactive in preparing for these types of situations?
Sure, David, and I know you have raised some really interesting solutions and provided some information that will hopefully help healthcare providers and other entities think through some of these complex questions and be able to act quickly when there is a question or an issue involving media access. And something that is really vital for organizations to consider is what their plan is.
So, who is going to be making the decision around allowing media, or the press journalists, other third parties, into, the spaces, into the facility, the testing side, to interact with patients, and is there a coordinated approach?
What an organization does not want to have happen is you don’t want to be in a position where the media, for example, goes directly to the emergency department or the emergency room and asks somebody, that’s staffed there, “Hey, can we come in and film patients?” And for that emergency department, personnel, workforce, member, or whomever it is, to simply give a yes or no answer, without first raising the flag to the organization, to say, you know, who needs to make this decision? And can we have a coordinated approach to make sure we’re doing this in a way that protects the privacy and security of our patients, and also complies with the HIPAA privacy, security and breach notification rules?
So, some examples and some people to consider as an organization is drafting approach or thinking through an approach would be looking at offices and titles.
Such as marketing and communication, human resources, senior leaderships, so the C-suite, Risk Management, and the Office of General Counsel, as well as treatment providers. And, and, of course, you know, it goes without saying the Privacy Office, the compliance office will also be a key adviser in helping your organization make a safe and ethical decision.
So, the goal here is for an organization to have a really collaborative communicative approach. So that not one person is making the sole decision about whether or not an ABC News Crew, the local press, is allowed to come on-site and interact with patients.
So, with that in mind, knowing there is, know, a whole host of individuals and offices to think about when an organization is considering this question.
David, I’m wondering if you have some additional thoughts around documentation policies, procedures, and so forth, that an organization is going to also want to consider as part of part of their approach to responding to these sorts of inquiries.
Well Andrew, I think you’re absolutely right on identifying the right issues here. It is all about co-ordination, collaboration, and planning. Having policies, procedures, and training starts with bringing all of these folks.
I think, what is key in, in my experience, it has been working, specifically between the privacy officer, the marketing, and communications folks, to educate, on both, what, the opportunities for communication are and establishing real-world scenarios, in guidelines, for how the privacy rules and the expectations of the organization interact to set down some helpful advice for both planned and unplanned opportunities for communicating with the media.
So, having a process in place where the marketing/communications folks have the ability to understand what is a proper authorization in the circumstances under when the authorizations must be obtained, not just from patients who are currently in the facility. But, when there is an expectation that there’s going to be a film crew on site, or that media representatives will be coming into the facility, that patients as they arrive into the facility, and maybe in may be given either access or their images used as a facility, that they have an opportunity to first be made aware of the presence of the media.
And, secondly, be given the option to whether or not they’re PHI which includes their physical presence, their image, their location in the facility. Whether that be allowed to be used. So, there’s also an opportunity to think through how to modify planned media opportunities to prevent PHI from being accessed or disclosed.
Oftentimes, we can help protect patient privacy by interviewing and filming personnel or treatment professionals in unused or empty treatment areas. And ensure that there’s a clean desk policy being followed when media is allowed on site.
In my experience, we would have a representative of marketing go through an area prior to the arrival of the media representative to ensure that PHI was covered or was removed and not visible when reporters or staff from the media outlet was going to be present in the health care facility.
So, it’s important to remember the two keys to ensuring that patient privacy is protected when the media is allowed access into a health care facility. Or, that the individual healthcare provider will be interacting with, the media, either in person or through social media.
First, to have policies and procedures in place that empower a culture of privacy within the organization. And secondly, is to develop a multi-disciplinary approach to responding to and planning for media opportunities.
The HIPAA Privacy Rule balances patient rights to control how and when their protected health information is disclosed for purposes outside of treatment while allowing healthcare providers flexibility to use and disclose PHI in order to treat that patient or coordinate the continuation of that care by family members and partners.
OCR has used its enforcement discretion during the COVID 19 public health emergency to relax requirements around community-based testing sites. OCR has drawn a line in the sand that covered entities risk, consequences when disclosing PHI to the media without patient authorization.
Healthcare providers must approach very carefully the risks and their obligations to shield PHI when exposing patients or their treatment records to the glare of television lights, or a reporter’s notebook without first, obtaining an authorization that meets the requirements of the HIPAA Privacy Rule.
Well, I want to thank you very much for the opportunity to talk about HIPAA and media relations!
Ok! Thank you both for providing your insights and expertise.
A note to our listeners, a blog post related to this topic titled, “OCR Warns Hospitals: No News Media in Treatment Areas Without Patient Authorization” will be linked to this episode on its transcript page, episode #21.
Thanks for listening!