Getty Images/iStockphoto

COVID-19: OCR Reminds Providers of Media Access Restrictions to PHI

Even during the COVID-19 emergency, OCR reminds providers that HIPAA restricts the media and film crews from accessing areas where PHI could be accessible without patient authorization.

The Office for Civil Rights issued a reminder to healthcare providers that even amid the COVID-19 crisis, the HIPAA Privacy Rule does not permit them to give site access to media and other film crews where protected health information could be accessible without the patients’ prior consent.

Providers must first obtain a valid HIPAA authorization from each patient whose PHI could accessible to the media before the media is given access to that health information.

Further, it’s not enough to mask or obscure the patients’ faces or any identifying information before broadcasting a recording of a patient. OCR stress a valid HIPAA authorization is a requirement for giving media access, and it must be acquired before they have access – not before its broadcasted.

“The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll,’” said OCR Director Roger Severino, in a statement. “Hospitals and healthcare providers must get authorization from patients before giving the media access to their medical information”

“Obscuring faces after the fact just doesn’t cut it,” he added.

In the past several providers have faced hefty civil monetary penalties and corrective action plans for failing to adhere to HIPAA guidance around media access.

In 2016, New York Presbyterian Hospital settled with OCR for $2.2 million after allowing an ABC media crew to film patients without authorization. Two years later, Boston Medical Center, Brigham and Women's Hospital, and Massachusetts General Hospital paid OCR nearly $1 million for similar violations.

Those HIPAA restrictions have not changed with the Coronavirus pandemic. HIPAA doesn’t allow covered entities to give the media or film crews access to any areas where PHI could be accessible in any form, including written, electronic, oral, or other visual or audio form without obtaining written HIPAA authorization from each patient whose PHI would be accessible.

More importantly, providers are also not allowed to require a patient to sign a HIPAA authorization for this as a condition of receiving treatment.

Further, HIPAA-covered providers are not permitted to allow media or film crews to film patients in their facilities where PHI is accessible even if the patients’ faces are blurred or identities are masked after the fact.

Patients receiving treatment are typically surrounded by a trove of PHI, from their medical record number on the hospital door room to physicians’ notes about their care or real-time displays of heart or lung function and oral communications about their health and health care.

“In addition, a patient’s presence in an area of a health care facility that is dedicated to the treatment of a specific disease or condition, such as COVID19, reveals the patient’s diagnosis,” the guidance explained. “HIPAA Privacy Rule does not permit a covered entity to give the media access to such patient PHI unless it obtains a valid HIPAA authorization from the patient before giving such access.”

“For example, a covered hospital may not allow media personnel access to the emergency department where patients are receiving treatment for COVID-19, without first obtaining each patient’s authorization for such filming,” they added.

Media and film crews are permitted to film patients where PHI could be accessible, but every patient who is or will be in the area where the filming takes place, or whose PHI could be accessible, must first sign a valid HIPAA authorizations allowing the access to occur.

Only under those circumstances may a covered entity permit the media to film in those areas. However, the provider must ensure reasonable safeguards are in place to protect against unauthorized PHI disclosures.

Covered entities should consider implementing computer monitor privacy screens to prevent the film crew from viewing PHI on computers, as well as installing opaque barriers to shield media access to PHI of patients who did not consent to the access.

OCR has continued to issue both HIPAA waivers, as well as clarifications for covered entities throughout the pandemic to ensure compliance and allow for improved data sharing, including insights into community-based testing sites, business associates, first responders, and telehealth.

Next Steps

Dig Deeper on HIPAA compliance and regulation