By Margaret Scavotto, JD
Director of Compliance Services
Management Performance Associates
HIPAA Compliance Officers and Privacy and Security Officers generally worry about violations of the HIPAA Act throughout the day. But is your public relations department?
An arrest and a press release
In May 2017, a nonprofit health system in Texas concluded a settlement of $ 2.4 million with the OCR to resolve the allegations violation of the HIPAA Privacy Rule. ]
A patient presented a false identity card in an OB / GYN clinic of the health system. The clinic called the police – who complied with the provisions of the rule of confidentiality for reporting a crime on the premises. But, then the health system issued a press release on the arrest. The title of the press release included the patient's name.
Why the press release ? The patient is a Mexican immigrant and her arrest has attracted protesters to the hospital. Protesters said hospitals should be "safe havens" for immigrants. One can understand why the hospital would feel the need to address the issue. But, the OCR found that by identifying the patient in the press release, the health system went too far under HIPAA.
An interview with the media and a group email
The OCR stated that senior medical center officials "met with the media to discuss medical services provided to a patient" and "unacceptably shared details about health status, diagnosis and treatment of the patient ". stated that the medical center "had not protected the patient [PHI] from a prohibited disclosure by intentionally disclosing personal health information to multiple media on at least three occasions without a valid written authorization."
A survivor of Ebola
Nina Pham, a former nurse at Texas Health Presbyterian Hospital in Dallas, contracted the Ebola virus while treating a patient. While Pham was being cared for at Texas Health Presbyterian, a doctor visited her hospital room with a GoPro camera under her hazmat suit, and asked her questions about what she was feeling. The hospital's public relations department posted the video on its YouTube site and distributed it to the press as part of its #PresbyProud campaign. Pham sues the hospital and claims that the hospital has released the videos to overcome the bad press received by the hospital when Pham and another nurse have contracted the Ebola virus at work: "Never Nina's permission to be used as a PR pawn like that."
The hospital claimed that it "was sensitive to Nina's privacy, and we adhered to the HIPAA rules by determining what information publicly share, we had Nina's consent to share information about her being released. "
In his complaint Pham is not in agreement. The minutes contain notes from Pham's medical record on October 14 of his pulmonologist that the doctor "has discussed with her and has reviewed in detail the consent form for the disclosure of information and she agrees to give the 39; information. " The same doctor noted at the time that they were discussing "end-of-life problems" with Pham and were discussing Pham's treatment plan.
The Pham lawsuit was settled and the terms of settlement were not made public. So we do not know exactly what happened on October 14th. We know that HIPAA's consent to the use of the media can be complicated.
A television crew in the emergency
In 2016, the New York Presbyterian Hospital reached a settlement of $ 2.2 million for what the OCR called a "disclosure flagrant ".
The hospital authorized the ABC NY Med television show to film two of its patients in the emergency room without obtaining their permission. One of the filmed patients was dying; the other was in distress. The shooting continued after the objection of a health professional.
One of the patients filmed was Mark Chanko, a man who was rushed to the hospital after being run over by a garbage truck. When NY Med was aired, Chanko's voice was muffled and his face was blurry – but he was still recognized by his widow .
In 2012, the former vice president of public affairs of the hospital commented on the first NY Med season: "You can not buy this kind of advertising, in eight parts series on a large broadcast network. "
What you can do
We do not know all the circumstances of these examples, but we know that public relations initiatives may involve hidden HIPAA risks.
Ask yourself: Who attends HIPAA training? What about the CEO? Table? Doctors? Who is most likely to talk to the media? The media will probably not call the HIPAA Privacy Officer when you have a high profile patient. They call the CEO, the president, the administrator, your public relations department, and so on. These people need a HIPAA training exactly like your nurses .
It may be tempting to let executives out of training because we know they are busy, but be careful when it comes to compliance, including HIPAA. They may not come to your service at 7 am, but will find a way to provide them with the information they need.
Keep in mind that HIPAA education for leadership might need to be done a little differently than HIPAA education for patient care staff. Adapt the content of the education, including assumptions as much as possible, to specific HIPAA situations that your audience might encounter.