OCR issues additional guidance on media access

Featured image

Share this article

HIPAA requirements for PHI disclosure

On May 5, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued additional guidance on media access and healthcare providers.

The Notice of Enforcement Discretion addresses permissible media access under the HIPAA Privacy Rule, including during the COVID-19 emergency.

What is permissible media access?

The HIPAA Privacy Rule does not allow media access to covered healthcare entities (CEs) where patients and their protected health information (PHI) are accessible without express patient authorization and reasonable safeguards in place.

This includes all affected patients within a CE at all times, even during public health emergencies.

Multiple forms of PHI (e.g., name, medical record number, treatment room number, and medical notes/diagnoses) surround patients during treatment.

Under HIPAA, CEs must do their due diligence in protecting every patient and all sensitive information.

According to Roger Severino, OCR Director, “The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll.’”

Indeed, patients must give valid authorization before a CE allows media access, not before it is broadcasted.

OCR further clarifies that masking or obscuring patients’ faces or PHI is not sufficient, or as Severino puts it, “just doesn’t cut it.”

Finally, the guidance adds that CEs “may not require a patient to sign a HIPAA authorization as a condition of receiving treatment.”

Are there exceptions?

During moments of crisis, the government, the media, and the general public want access to up-to-date information.

This is why the HIPAA Privacy Rule has exceptions or limited circumstances built-in.

General, statistical information, like that shared about COVID-19 patients, lacking direct indicators, is allowable without authorization.

RELATED: OCR Shares COVID-19 PHI, Data Sharing Guidance for First Responders

At the same time, CEs must employ safeguards (e.g., the ‘minimum necessary requirement’) to ensure personally identifiable information is concealed.

In 2016 and 2018, OCR issued hefty finds to CEs that failed to adhere to the Privacy Rule.

For that reason, this guidance on media access serves as a reminder.

And as the COVID-19 crisis evolves, OCR will continue to issue HIPAA waivers and clarifications.

SEE ALSO: HIPAA Compliant Email: The Definitive Guide

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022