Yesterday I read a news story about how a woman, Mrs. Anita Chanko, saw an episode of the Dr. Oz show “NY Med” that included video of her husband, who had died 16 months earlier, in the hospital receiving care after being hit by a truck while crossing the street. She did not know that such a video even existed.
The picture was blurred, but the woman knew it was her recently deceased husband because she recognized his voice when he spoke, the conversation topic, the hospital where the care was occurring, along with other visual indicators. She heard her husband ask about his wife; her. She then watched his last moments of life, and then his death on television.
No one had given the NY Med show or the New York-Presbyterian Hospital permission to film the man, let alone to broadcast his treatment and then ultimately his death.
This happened in the U.S. HIPAA regulations have strict privacy requirements for protecting patient information, including images or any other type of information that can point them an individual. Such information cannot be released to anyone without authorization of the patient, or the legal guardians, to others not involved with treatment, payment or operations (TPO). This applies to information of those deceased. (NOTE: Originally HIPAA had this requirement last basically forever following death, but the Omnibus Rule changed this to 50 years following death.)
HIPAA is not new. It was passed 18 years ago.
This situation brings up several questions, including:
- Why didn’t New York-Presbyterian Hospital, where Mr. Chankos was given patient care, have controls in place to prevent this? They should for their HIPAA compliance requirements.
- Why didn’t Dr. Oz, who reportedly had oversight of all the episodes, or the doctor providing the care to Mr. Chanko catch this before it was aired? They should recognize such a privacy problem, if they are sensitive to the patient and the patient’s family.
- Was the decision made that the sensationalism of showing a death on a reality show was more important than complying with healthcare regulations? Many following this story believe this is the case.
Broadcasting their father’s/husband’s death traumatized the family. They wrote complaints to the Department of Health and Human Services (HHS), the ABC network, the NY Department of Health, New York-Presbyterian Hospital, and a hospital accrediting group.
ABC removed the segment from the show itself, but parts of it still exist in their promos for the show.
The Chankos sued.
ABC lawyers “do not dispute that they did not have consent from Mr. Chanko or his family, but they say the patient is not identifiable to the public. The network has asserted that because “NY Med” is produced by its news division, it is protected by the First Amendment. Lawyers for NewYork-Presbyterian have argued that the state does not recognize a common law right to privacy and that any privacy right Mr. Chanko did have ended upon his death. They say that the Chankos themselves are responsible for their loss of privacy.“
(The emphasis above is mine, not in the reported story.)
Leave it to the lawyers who know they are wrong (if they have a conscience anyway) to try to blame those who were impacted. And if they were lawyers worth their salt, they would know that HIPAA *DOES* protect patient information privacy following death.
And what is this nonsense about the show being news and the First Amendment!? Good grief, it seems like this weak claim has been made dozens of times throughout 2014. There is nothing in HIPAA that says you forfeit your privacy rights if the information is news!
Here is where the lawyers’ reasoning is very wrong. They state:
“There would today still be no identification of the patient or his family but for the latter’s publication via this lawsuit.”
Oh, really?
The article states:
In the aftermath of the broadcast, a lawyer for New York-Presbyterian tried to assure the family that no one could identify them from what was shown on TV. “Please be assured that your father’s and your family members’ images, likeness and other potentially identifying information were completely obscured in the episode,” the hospital’s associate general counsel, Caroline S. Fox, wrote in an emailed response to Kenneth Chanko’s complaint.
Yet a few weeks later, Mrs. Chanko said she received a call from a woman who used to work as a pet sitter for her and her husband. “She said to me, ‘Do you watch “NY Med?”.’ She said, ‘That was Mark, wasn’t it?’ She recognized him.”
Other people identified the patient by his voice, the context of the situation, and possibly how he looked in the blurred video.
Have the hospital and network lawyers even read HIPAA? I recently wrote a blog post about the types of information that are considered to be protected health information (PHI). Here are a couple of types that would seem to apply to this situation:
- Biometric identifiers, including finger and voice prints. The patient’s voice was recognizable by multiple individuals. Just because they were people that knew him and not the general public is not a reason to dismiss this important point. However, the hospital lawyer’s comment sure seems to think so.
- Any other unique identifying number, characteristic, or code. The context of the situation lends itself to having others being able to figure out who this is.
HIPAA also describes PHI as information that “could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information“. People clearly identified the patient, Mr. Chanko, by the images and sounds in the TV show. When considering privacy, context always matters.
I couldn’t find anything about the Chanko incident on the HHS site. Reportedly they are still considering the case. I hope they find, as has been demonstrated by the details of the case made public so far, that the hospital and doctors violated HIPAA, since the blurred images, voice, and situation surrounding the situation (don’t forget, context is always very important when considering privacy!) pointed to a specific individual, that this situation did indeed violate HIPAA requirements. If the HHS does not come to this logical conclusion, the New York Attorney General’s office has the power to make this decision as well.
Some important points:
- If any type of patient information can be linked to an individual it is generally considered to be PHI. It doesn’t have to just be a visible image, as the hospital lawyer is trying to claim to relieve the hospital from its privacy responsibilities, and the ABC network from its liabilities.
- HIPAA requires a qualified statistician to determine if information, such as a video inside a hospital, has been sufficiently de-identified to no longer be PHI when just simply removing items from a data file will not be sufficient, such as in this case. Most lawyers do not have such qualifications. Based upon the reported details, and the lawyers’ claims and arguments, it does not sound as though such a qualified expert was even consulted.
Over 2014 I had over a dozen instances of speaking with marketers in the healthcare field, including many from medical device vendors, that said they’d been told by their legal area that if there is not explicit prohibition against sharing certain types of patient information that they can “go ahead and share it, then apologize later or dispute complaints if it turns out to be a problem later.”
Too often lawyers with no understanding of privacy, or who have only their employers’/clients’ interests in mind, go out of their way to justify using PHI, and other types of personal information, for their own goals and benefits. Instead, they should take some time to thoughtfully consider the privacy impact to those whose personal information they want to use to advance their own goals. And here is where to cue the lawyer jokes.
For more on HIPAA see my HIPAA Compliance Tools site, Privacy Professor site, and my recently published book, “The Practical Guide to HIPAA Privacy and Security Compliance 2nd Edition.”
Tags: ABC, Chanko, Dr. Oz., HIPAA, HITECH, Information Security, infosec, medical devices, NewYork-Presbyterian Hospital, NY Med, patient information, personal information, PHI, privacy, privacy professor, privacy risks, privacy rule, privacyprof, protected health information, Rebecca Herold, security rule