Margaret C. Scavotto, JD, CHC
Management Performance Associates
Compliance officers and HIPAA privacy and security officers typically worry about HIPAA violations all day long. But does your public relations department?
An arrest and a press release
In May 2017, a not-for-profit health system in Texas entered a $2.4 million settlement with the OCR to resolve allegations that it violated the HIPAA Privacy Rule.
A patient presented a fake ID at a health system OB/GYN clinic. The clinic called the police – which complied with the Privacy Rule’s provisions for reporting a crime on the premises. But, then the health system issued a press release about the arrest. The press release title included the patient’s name.
Why the press release? The patient is an immigrant from Mexico, and her arrest drew protesters to the hospital. The protesters asserted that hospitals should be immigrant “safe zones.” One can see why the hospital would feel the need to address the matter. But, the OCR found that, by identifying the patient in the press release, the health system went too far under HIPAA.
A media interview and a group email
In 2013, a medical center entered a $275,000 settlement with the OCR to resolve Privacy Rule allegations surrounding the center’s discussion of a particular patient.
The OCR claimed that medical center senior leaders “met with media to discuss medical services provided to a patient” and “impermissibly shared details about the patient’s medical condition, diagnosis and treatment in an email to the entire workforce.” The OCR also claimed the medical center “failed to safeguard the patient’s [PHI] from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization.”
An Ebola survivor
Nina Pham, a former nurse at Texas Health Presbyterian Hospital (Dallas), contracted the Ebola virus while treating a patient. While Pham was being treated at Texas Health Presbyterian, a doctor visited her hospital room with a GoPro camera under his hazmat suit, and asked her questions about how she was feeling. The hospital’s PR department published the video on its YouTube site and released it to the press as part of its #PresbyProud campaign. Pham sued the hospital, and claims the hospital released the videos to overcome the bad press received by the hospital when Pham and another nurse contracted Ebola on the job: “Never once did THR get Nina’s permission to be used as a PR pawn like this.”
The hospital asserted that it “was sensitive to Nina’s privacy, and we adhered to HIPAA rules in determining what information to share publicly. We had Nina’s consent to share the information about her that was released.”
In her complaint, Pham disagrees. The lawsuit contains notes from Pham’s medical records on Oct. 14 from her pulmonologist that the doctor “discussed with her and reviewed in detail the consent form for release of information and she agrees to consent of information release.” But, Pham points out, the same doctor noted at the time that they discussed “end-of-life issues” with Pham and discussed Pham’s treatment plan.
Pham’s lawsuit settled, and the settlement terms were not made public – so we don’t know exactly what happened on October 14. We do know that HIPAA consent to media use can be complicated.
A TV crew in the ER
In 2016, New York Presbyterian Hospital entered a $2.2 million settlement for what the OCR called an “egregious disclosure.”
The hospital allowed the ABC TV show NY Med to film two of its patients in the emergency room, without obtaining their authorization. One of the filmed patients was dying; the other was in distress. Filming continued after a medical professional objected.
One of the patients filmed was Mark Chanko, a gentleman who was taken to the hospital after he was hit by a garbage truck. When NY Med aired, Mr. Chanko’s voice was muffled and his face was blurred – but he was still recognized by his widow.
In 2012, the hospital’s then-VP of Public Affairs commented on the first season of NY Med: “You can’t buy this kind of publicity, an eight-part series on a major broadcast network.”
What You Can Do
We don’t know all the circumstances of these examples, but we do know that PR initiatives can involve hidden HIPAA Risks.
Ask yourself: Who attends HIPAA training? What about the CEO? The Board? Doctors? Who is most likely to speak with the media? The media probably won’t call the HIPAA Privacy Officer when you have a high profile patient. They’ll call the CEO, the President, the Administrator, your PR department, etc. These people need HIPAA training just like your nurses do.
It can be tempting to leave execs out of training because we know they’re busy, but be careful when it comes to compliance, including HIPAA. They might not come to your 7 am in-service, but find a way to get them the info they need.
Keep in mind that HIPAA education for leadership might need to be done a little differently than HIPAA education for patient care staff. Tailor education content, including hypotheticals wherever possible, to the specific HIPAA situations your audience might encounter.