By Andrew W. Coffman
& S. Blake Adams
Hospitals and medical clinics take wonderful care of patients, and every organization wants to celebrate the work done by its medical professionals. However, sometimes marketing and promotions can open health care providers up to HIPAA claims. As you consider publicizing the great work of your doctors and nurses, be sure not to disclose protected health information (PHI).
On Nov. 20, 2023, the Department of Health and Human Services’ Office of Civil Rights (OCR) announced a settlement with a New York hospital relating to the disclosure of PHI in an article on the hospital’s response to the COVID-19 pandemic. The article contained photographs and information about the hospital’s patients.
OCR determined the hospital disclosed three patients’ PHI to the Associated Press without obtaining written permission. This information had the effect of disclosing the patients’ COVID-19 diagnoses, current medical status, prognosis and treatment plans. Based on this disclosure, the hospital agreed to pay an $80,000 civil penalty and implement a corrective action plan, including drafting new written policies and procedures.
OCR media guidance makes clear that covered entities cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI will otherwise be accessible.
Before promoting your services through the media, consider these tips:
Members of the media may access areas of health care facilities that are otherwise generally accessible to the public.
Any patient whose PHI is disclosed must sign a release before disclosure.
If a provider contracts with a media company to produce promotional materials that may involve the disclosure of PHI, in addition to any required patient authorizations, the provider must enter into a HIPAA-compliant business associate agreement with the media company. This agreement must ensure that the media company will safeguard the PHI it obtains, only use or disclose the PHI for the purposes provided in the agreement, and return or destroy any PHI after the work for the health care provider has been completed. As a business associate, the media company must comply with the HIPAA Security Rule and a number of provisions in the Privacy Rule, including the Rule’s restrictions on the use and disclosure of PHI.
Health care providers are important parts of our communities. The services offered by those entities should be widely reported. HIPAA allows covered entities to inform the media of their treatment services and programs so that the media can better inform the public, provided that, in doing so, the covered entity does not share individuals’ PHI without their prior authorization.
Andrew W. Coffman and S. Blake Adams practice at Phelps where Coffman serves member of our Intellectual Property team, and Adams practices with the Health Care team.