On September 20th, 2018 HHS’ Office of Civil Rights entered into three separate settlement agreements totaling $999,000 with Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital. According to OCR’s press release the three Boston hospitals violated HIPAA by inviting ABC film crews onto their premises to film a documentary series without first obtaining authorization from patients.[i]
The three resolution agreements are extremely short and contain very little detail on the facts so one can only wonder what patient protected health information (PHI) was disclosed or put at risk to justify such hefty fines. Was it that doctors being filmed talked openly about a specific patient? Was it that film producers were given access to patient medical records or that crews took pictures of patient lab tests?
The only clue as to the specifics of the PHI breach are the words of OCR Director Roger Severino contained in the press release: “Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments.” You may now ask yourself, was PHI discussed during those filmed encounters? For instance, were doctors and patients filmed during a conversation in which PHI was discussed (i.e. “I got your biopsy results and it tested positive for renal cell carcinoma”)? That would be a very clear-cut violation. But what if no medical information was discussed during filming? What if a patient was merely filmed from the observation deck during surgery? Would those still be HIPAA breaches? Can a mere reproduction of physical likeness be considered PHI?
Under US law PHI is any information about health status, provision of health care, or payment for health care that can be linked to a particular individual and which is created or collected by a Covered Entity or its business associates.[ii][iii] Thus, we can all agree that any disclosure of information by a covered entity indicating or confirming that a specific individual is at such covered entity to receive care or treatment would be considered a disclosure of PHI. If that disclosure is made to a third party without an informed patient consent, then under HIPAA it would be considered an impermissible disclosure of PHI.
Viewed from this perspective, the mere filming (or even photographing) of an individual at a covered entity could be considered an impermissible disclosure of PHI unless the patient has signed an informed consent to such disclosure. I know, you are probably wondering, why did I have to be so lawyerly and use the word “could” rather than the more certain “will”. As it is often the case, context means everything in the legal world. Let’s discuss a bit.
Unlike most of its “Civil Law” counterparts, the US Constitution does not expressly guarantee a right to privacy. However, the Supreme Court has, to some extent, recognized in various decisions that individuals have a reasonable expectation of privacy and that the reasonableness of their expectation largely depends on context. For instance, individual expectation of privacy is greater at home or in private spaces than it is in public ones. The reasons why an individual may be at a particular location can also determine whether he has a reasonable expectation of privacy. For instance, a hospital patient’s expectation of privacy may be very different than that of friends or family visiting him, or that of a group of nurses having breakfast in the hospital cafeteria. In fact, the expectation of privacy can even be different depending on where in the hospital she/he might be (i.e. in the parking lot or in the examination room).
So, to answer the question of whether a reproduction of physical likeness can be considered PHI, the answer might be yes, but only to the extent that such reproduction portrays the individual while seeking or receiving medical attention and in a place where she/he has a reasonable expectation of privacy. Consequently, covered entities should include in their privacy policies proper guidance and procedures to obtain written informed consents from patients prior to allowing filming or photographing within their facilities and they would be wise to do so before the redcoats return.
_______________________________________________________
[i] See https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bostoncases/index.html
[ii] Protected health information (PHI) is defined as individually identifiable health information transmitted or maintained by a covered entity or its business associates in any form or medium (see 45 CFR 160.103).
[iii] HIPAA’s definition of the term “Covered Entities” includes healthcare providers such as doctors, physician practices or hospitals, as well as health plans and healthcare clearinghouses.