I received a very interesting question yesterday, and I wanted to share it and my response here because it is a great HIPAA topic to discuss that I have not seen written about before. I’ve removed the identifying information, and modified the situation details enough so that this cannot be tied to the actual situation…
“I have a situation recently regarding a Hippa violation.
In a recent office-based surgery situation, a photo was taken of the Operating room after the Patient was discharged. The photo was then posted to a popular social networking site with caption reading “what a long day of surgery doing [redacted details; none of which were personal information items] for [] hours.”
The photo did not have any individual in it. It did not have any items or information or any PHI of any kind that could be viewed. Just the operating room bed, drapes, equipment, etc. Comments were made on the social networking site regarding the photo. However, absolutely no PHI was posted at any time on the site in any way in relation to the posted picture.
The photo on the Internet was reported to the Physician. The employee who posted the photo was asked to take couple of days off after being told that the Hippa act was violated and that the practicing physician was at risk of losing his license, as well as the employee. The employee then left the place of employment and has not been contacted with any further instructions or a chance to make a defense.
What are your thoughts about this? Thank you!”
Here is my reply, again with personal references removed…
“Thanks for your message.
Compulsatory disclaimer: None of the information within this message is intended to be legal advice. This is strictly my opinion of the interpretation of HIPAA based upon my practical experience and research.
You mentioned that no PHI was given, but also that it was a photo of where a patient was at in a surgery room that was posted to Facebook.
Photos with a patient in them are considered to be protected health information (PHI). In fact, there are 18 specified items within the Health Insurance Portability and Accountability Act (HIPAA). “Full face photographic images (and any comparable images)” is on this list, as is “Other unique identifiers that can be attributed to a specific individual.” But the photo was just of the room, and there was nothing visible in the room to link to the specific individual patient?
If you are going by these facts and that there was absolutely nothing in the photo that could be tied to the patient, then looking strictly at the HIPAA regulations text, the situation you describe does not sound like a HIPAA violation.
However, another HIPAA requirement is that covered entities (which include healthcare providers), must establish and implement information security and privacy policies, communicate them to personnel, and enforce them. So now some questions to ask are…
- Does your office have information security and privacy policies?
- Are there any policies that state no photographs must be taken in areas where surgeries are performed, or some similar types of wording?
- Are there any policies stating nothing from the office can be posted to Internet websites or otherwise outside of the office?
- Have the policies been communicated to all personnel?
- Have all personnel been given training over the policy requirements?
- Is there a sanctions policy that states noncompliance with the policies could result in disciplinary action up to and possibly including termination and potential legal actions (or something similar)?
It is possible that, if such policies exist and were created specifically for HIPAA compliance, your organization is viewing this policy noncompliance as being a HIPAA infraction because of the HIPAA requirements to have security/privacy policies and enforce them. However, with such policies, training and communications in place, the policy infraction on its own is generally grounds for disciplinary actions, possibly including termination.”
Of course there is much more to say about this situation…how the use of social networking sites by personnel must be addressed within information security and privacy policies…the need for training and ongoing awareness to meet new and emerging technologies and personal acvities that bleed over into work activities…HIPAA and now HITECH Act issues…etc…
Much more about these issues in future posts to come!
Tags: awareness and training, breach law, breach notification, breach response, HIPAA, HITECH Act, Information Security, IT compliance, IT training, patient privacy, personally identifiable information, PII, policies and procedures, privacy training, security training