HIPAA and Media: OCR Issues Guidance on Media and Film Crew Access
Recently, federal regulatory departments have published new guidelines for healthcare organizations. These guidelines clarify how organizations must protect patients' privacy when they work with journalists. News organizations continue to cover the Covid-19 pandemic. Hospitals can work with media groups to inform the public. But, they--and other covered organizations--must stay compliant with HIPAA. Fortunately, it's possible to do both. Unfortunately, navigating the process can be tricky. And, doing it wrong can earn a group million-dollar fines.
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act. Congress signed this act into law in 1996. It regulates insurance policies so people can easily stay insured when they change jobs. It also ensures a person's ability to add family members to their insurance policy. And it establishes a patient's right to access their own healthcare information. Moreover, HIPAA holds healthcare providers accountable for protecting patients' privacy. It mandates information security measures. Congress clarified these mandates in 2000 when it finalized the Patient Privacy rule. The Department of Health and Human Services (HHS) enforces HIPAA compliance. Specifically, the department's Office for Civil Rights (OCR) investigates reported HIPAA violations. The OCR can fine violators. And it negotiates resolutions to ensure future compliance.
Which Groups Must Comply With HIPAA Regulations?
Entities that work with patients' private healthcare information (PHI) must comply with HIPAA. The HHS published a comprehensive FAQ about which organizations must comply with HIPAA. These include:
- Doctors offices
- Healthcare organizations
- Clinical researchers
- State, county, and local health departments
- Health insurance providers
- Healthcare clearinghouses
The HHS does not regulate media organizations. But, that doesn't mean media organizations have free reign to observe patients' private medical information.
OCR Guidance: How to Enable Compliant Media Coverage
The Covid-19 pandemic is a newsworthy event. As such, many news organizations committed to ongoing coverage of hospitals and patients dealing with outbreaks. Healthcare organizations are dealing with unprecedented levels of media contact. These organizations risk inadvertently violating HIPAA when they participate in news coverage. So, in May 2020, the OCR issued guidance on how to stay compliant when working with media members. Here is a summary of OCR's guidance.
Can a Film Crew Record Footage In HIPAA-Compliant Facilities?
No. A film crew may NOT record footage in facilities obligated to comply with HIPAA regulations. There are very few exceptions to this rule. A media organization may offer to obscure identifying information in the final story. For example, it may offer to blur patients' faces and hospital bracelets. But, this strategy is not enough to comply with HIPPA.
Can Journalists Observe or Record Audio in a Healthcare Setting?
No. Journalists cannot observe or record audio in a healthcare setting in most circumstances. The key rule is, nobody can legally view a patient's PHI without their explicit, written consent. Most treatment areas are full of PHI. PHI can include:
- ID bracelets
- Physical health records
- Scheduled treatment posted on a whiteboard
- Data visible on computer monitors
No media member may view these things without patient consent. An emergency room is full of patient data.
How Can Media Organizations Cover Medical News Without Violating HIPAA?
Healthcare organizations may want to work with media members to tell a story. Fortunately, there are ways healthcare, and media organizations can work together while staying compliant.
First, a media member may film or interview patients if they get written consent. Note that the journalist must obtain written consent from all patients they may observe--even accidentally. A patient can consent to the disclosure of their PHI. The patient must fill out an authorization form.
Alternatively, media members may conduct interviews offsite. This way, they will not accidentally observe patient information without a patient's consent. The interview may be via phone or video call. In that case, the audio or video equipment must not inadvertently "pick up on" private health information. In an interview, staff members may not disclose a patient's PHI. A patient can legally disclose their own PHI.
A third option is to use stock B-roll footage to illustrate a news story. Stock video footage from reputable companies is typically legally obtained. Or, the video is filmed on a set, and "patients" are actors. Media groups can also use images and videos a hospital provides. These files must be created without violating HIPAA.
The fourth option is to build a story using de-identified data. Journalists can write a story using published statistics that do not identify individual patients. Many public health organizations collect and publish de-identified data. This data can show Covid-19 hospitalization trends. For instance, this information might show what percentage of ICU beds are dedicated to Covid patients. Organizations must comply with HIPAA regulations about data de-identification. Following OCR processes ensures that no one can identify an individual patient from a data set.
If a Patient's PHI is Exposed by Media Coverage, Who is Responsible?
The HHS OCR regulates healthcare organizations. It does not regulate media organizations. So, healthcare organizations must comply with HIPAA. If a patient's PHI is exposed, the OCR will hold the healthcare organization responsible. Sometimes, hospitals warn journalists that they could violate HIPAA by conducting interviews. This has confused journalists in the past. In truth, hospitals may violate HIPAA by allowing journalists to conduct interviews on-site. But, journalists themselves are typically only guilty of violating hospital policy. They are not the ones violating HIPAA. Healthcare organizations may enforce HIPAA-compliant policies with security measures. It is legal for healthcare organizations to enforce policies with security guards. But, researchers recommend enforcing policies with verbal de-escalation and awareness campaigns. Organizations should only secure patient privacy with physical force as a last resort.
First Amendment vs. HIPAA
Remember that reporters have rights. In some cases, journalists' First Amendment rights and patients' privacy rights seem to conflict. It's wise for healthcare organizations to work peacefully with media groups. The goal is to cover stories in a way that respects the rights of everyone involved. Still, sometimes these conflicts end up in court. In 2007, The Cincinnati Enquirer sued the local health department. The newspaper alleged the department violated journalists' right to freedom of the press. And, it also violated their rights under the Freedom of Information Act (FOIA). The health department believed their actions were legal. It had imposed specific measures to protect patients' PHI and comply with HIPAA. But, the Ohio Supreme Court ruled the health department's measures went too far. The department had violated the Enquirer's rights in its overzealous effort to protect PHI.
OCR Fines Violators
It is important to create policies that respect the rights of all groups. Overly strict policies may violate reporter rights. But, OCR may fine groups with overly-lenient policies. The OCR has penalized hospitals and other groups for collaborating with media groups that inappropriately exposes patients' PHI. OCR resolved two prominent cases in this category in the past five years.
$2.2 Million "NY Med" Settlement
In 2016, OCR fined New York-Presbyterian Hospital $2.2 million. It imposed the fine as part of a settlement on behalf of patients. NYPH violated patients' HIPAA rights when it participated in the documentary series NY Med. ABC News produced "NY Med." It filmed and ran for two seasons, from 2012 to 2014. The show depicted the drama inherent to treating patients at the prestigious hospital. Producers filmed many patients, including Mark Chanko. In particular, show directors filmed Mark Chanko as he died of injuries. Chanko and Chanko's family did not consent to the showrunners filming him. ABC News had blurred out Chanko's face in post-production. But this did not undo the initial violation of privacy. Chanko's family filed a complaint with OCR. The New York State appellate court found NYPH violated Chanko's rights. NYPH enabled crew members to view Chanko's PHI without his consent. As a result, OCR fined NYPH $2.2 million. It also imposed a corrective action plan. OCR monitored NYPH for two years to ensure the hospital abided by the action plan.
$999,000 "Save My Life: Boston Trauma" Fine
In 2018, OCR imposed similar penalties. Three Boston hospitals participated in an ABC TV reality show. The show was Save My Life: Boston Trauma. The participating hospitals included:
- Boston Medical Center
- Bringham and Women's Hospital
- Massachusetts General Hospital
Patients from all three hospitals filed complaints with OCR. OCR investigated the complaints. It found all three hospitals liable for failing to secure patients' privacy. Like the NY Med case, OCR had to clarify that blurring patients' IDs in post-production does not effectively protect PHI. The moment a crew member observes a patient without the patient's permission, the patient's HIPAA rights have been violated. OCR both imposed fines and implemented resolutions. OCR monitored each hospital to make sure it abided by the resolutions. Each resolved to abide by a corrective action plan. Remember, HHS OCR does not regulate media companies. ABC did not face any penalties for observing patients without their consent. ABC continues to air Save My Life: Boston Trauma. It did not remove any episodes as a result of the case.
Stay HIPAA Compliant
As the pandemic continues, your organization may want to coordinate with media members to inform the public. It's important to do this without violating HIPAA. At HIPAA Exams, we offer over forty IACET-certified courses. Each course grants organizations the information they need to stay compliant. Different courses address compliance issues specific to different organizations. The classes empower organizations to develop compliant policies.