When it Comes to Sensitive Patient Information, Sharing is Not Caring

April 30, 2020
Sharing-PHI

If you’re like most practices, you probably haven’t had the media knocking down your doors asking about sensitive patient information. But with the current public health emergency splashing patient stories across the web, healthcare organizations beware! Media outlets are on the hunt for positive cases of COVID-19 and it’s important to know the rules surrounding sharing protected health information (PHI) with the media if your practice gets caught up in the COVID-19 media wave.

In general, COVID-19 or not, HIPAA law prohibits healthcare providers from disclosing a patient’s PHI to the media unless either the patient or their personal representative authorizes the disclosure or the disclosure fits within a specific HIPAA exception. We all know how the public reacts when something makes headlines (recent toilet paper shortages, for example) which is why it is so important to protect your patients’ privacy – especially when it comes to the media. 

Some basic rules of thumb to know when facing a situation that might involve the media and patient information are: 

  • Ask permission, always. If a medical practice is looking to disclose any patient information to the media, the first course of action should be to get written permission from the patient. When receiving authorization from the patient make sure they are fully aware of exactly what information is being shared, for what purpose, and who exactly is being provided with this information. 
  • There is no “open-door policy.” Make sure you have all appropriate physical safeguards in place that will keep protected PHI secured against nosy, improper access. When it comes to areas beyond the waiting room, the only place the media should enter, the OCR explicitly states that health care providers cannot invite or allow media personnel into any area where patients’ PHI is accessible in any form without prior written authorization from each individual who is, or will be, in the area or whose PHI would be accessible. 
  • Good PR is HIPAA-appropriate PR. Providers are authorized to utilize film crews for purposes such as public relations material or training videos, and these crews may be allowed in areas where PHI is kept. In these scenarios there must be certain privacy protections in place including proper Business Associate Agreements with the film crew in addition to prior written authorization by any patients who might be present while the filming is taking place or whose PHI might be included in any related materials. 

In any situation where disclosure of PHI is involved – the media included – the provider must ensure that all the reasonable safeguards are in place to protect against any impermissible or incidental disclosures of patient information. In the event PHI is shared it must be kept to the minimal information necessary to abide by HIPAA law and protect the privacy of patients. In one recent case, an allergy practice found themselves in a HIPAA violation settlement after a patient of the practice contacted a local TV station regarding an incident at the practice, and when contacted to comment the practice impermissibly disclosed the patient’s PHI. This discussion with the media cost the practice a $125,000 settlement on top of a two-year corrective action plan.

Some words of advice? If ever faced with a situation involving the media, don’t be blinded by the spotlight. Avoid publicly reporting any patient PHI or disclosing information upon media request. Simply responding with “no comment”, or having staff reply that they are not authorized representatives and cannot speak on the practice’s behalf could save your practice the hassle of dealing with major HIPAA violations and shelling out a big chunk of change. 

A public health emergency, such as the current COVID-19 pandemic, brings some additional confusion in regard to sharing information to the public in order to mitigate further health risks. This uncertainty has often led to impermissible media disclosures, such as a Detroit Pistons player’s COVID-19 diagnosis which recently made headlines before he even had a chance to tell his own mother. Certain disclosures may be made to authorized organizations, but when it comes to sharing PHI to the media at large, it’s important to know what’s off-limits to best protect your patients’ privacy.