All Publicity is Good Publicity, Unless it is a HIPAA Breach

A recent U.S. Department of Health and Human Services, Office for Civil Rights (OCR) settlement illustrates why health care facilities must carefully consider potential privacy risks and take precautionary steps before allowing a camera crew to film on their premises.

OCR settled with three Massachusetts hospitals for a total amount of $999,000 for violations of the Health Insurance Portability and Accountability Act (HIPAA) when filming an ABC television series intended to provide positive marketing and publicity for the hospitals.

The hospitals – Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital – permitted the filming of a medical documentary series on their premises without first obtaining their patients’ consent. OCR Director Roger Severino explained: “Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments.” Accordingly, health care providers under HIPAA are required to obtain patient authorization prior to disclosing or giving access to their protected health information to third parties.

In prior guidance¹ issued on this issue, OCR explained that it is not sufficient for a health care provider to require media personnel to mask the identities of patients (e.g., through blurring, pixilation or voice altering techniques) when recorded content is made available to the general public, because the provider is not permitted to make such information available to the media personnel in the first place without patient authorization. All patients that are located where media personnel will be present, or whose protected health information will be accessible to such media personnel, must provide prior authorization to such disclosure of their protected health information.

HIPAA only provides a few narrow exceptions where a patient’s authorization need not be obtained before disclosing information to the media. The exceptions include: (i) if the information is disclosed in order for the media to help identify or locate the family of an unidentified and incapacitated patient, and provided that the health care provider believes, in his/her professional judgement, that such disclosure is in the best interests of the patient; and (ii) if the disclosure is limited to general information that does not disclose specific protected health information about an identified patient.

In addition, a health care provider may retain a film crew to produce training videos or other public relations content on his/her/its behalf, provided that the provider and film crew execute a proper HIPAA Business Associate Agreement and comply with all of the obligations thereof. Providers can also inform the public, through media or other channels, about the services and programs they offer, as long as such information does not disclose any protected health information that identifies a particular patient.

When evaluating privacy risks, health care providers should consider applicable state privacy laws in addition to the HIPAA rules.

¹ https://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html.