by Kapua Iao
Article filed in

OCR issues additional guidance on media access

by Kapua Iao

'HIPAA REQUIREMENTS' on white bordered paper above a caduceus with a magnifying glass highlighting the text.

On May 5, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued additional guidance on media access and healthcare providers.

The Notice of Enforcement Discretion addresses permissible media access under the HIPAA Privacy Rule, including during the COVID-19 emergency.

What is permissible media access?

The HIPAA Privacy Rule does not allow media access to covered healthcare entities (CEs) where patients and their protected health information (PHI) are accessible without express patient authorization and reasonable safeguards in place.

This includes all affected patients within a CE at all times, even during public health emergencies.

Multiple forms of PHI (e.g., name, medical record number, treatment room number, and medical notes/diagnoses) surround patients during treatment.

Under HIPAA, CEs must do their due diligence in protecting every patient and all sensitive information.

According to Roger Severino, OCR Director, “The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll.’”

Indeed, patients must give valid authorization before a CE allows media access, not before it is broadcasted.

OCR further clarifies that masking or obscuring patients’ faces or PHI is not sufficient, or as Severino puts it, “just doesn’t cut it.”

Finally, the guidance adds that CEs “may not require a patient to sign a HIPAA authorization as a condition of receiving treatment.”

Are there exceptions?

During moments of crisis, the government, the media, and the general public want access to up-to-date information.

This is why the HIPAA Privacy Rule has exceptions or limited circumstances built-in.

General, statistical information, like that shared about COVID-19 patients, lacking direct indicators, is allowable without authorization.

RELATED: OCR Shares COVID-19 PHI, Data Sharing Guidance for First Responders

At the same time, CEs must employ safeguards (e.g., the ‘minimum necessary requirement’) to ensure personally identifiable information is concealed.

In 2016 and 2018, OCR issued hefty finds to CEs that failed to adhere to the Privacy Rule.

For that reason, this guidance on media access serves as a reminder.

And as the COVID-19 crisis evolves, OCR will continue to issue HIPAA waivers and clarifications.

SEE ALSO: HIPAA Compliant Email: The Definitive Guide

Try Paubox Email Suite for FREE today.