OCR Issues COVID-19 Guidance on Disclosure of PHI to the Media

By | Published On: May 7, 2020

Earlier this week, the Office for Civil Rights (OCR) issued a COVID-19 Guidance on Disclosure of PHI to the Media (“Guidance”) reminding covered entities that they must have a patient’s written authorization prior to allowing the media into areas where protected health information (PHI) is available in any written, electronic, oral, or other visual or audio form.  Under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, covered entities may not disclose PHI to media personnel unless the patient (or their personal representative) signs a valid HIPAA authorization.  The Guidance states that these requirements have not been waived in response to the COVID-19 public health emergency.

Prior to allowing the media access to any PHI, covered entities must ensure that patients complete valid authorization (see 45 CFR § 164.508(c) for the required elements of a HIPAA authorization).  Any patient who is or will be in the area or whose PHI will be accessible to the media (for example, because their record is displayed on a computer screen or viewable on a desk/workspace) must complete an authorization.  The Guidance warns that “a patient’s presence in an area of a health care facility that is dedicated to the treatment of a specific disease or condition, such as COVID-19, reveals the patient’s diagnosis.”

Requiring or requesting the media to mask the identities of patients after the filming (by, for example, blurring, pixilating, or using voice alteration software) is not sufficient as the HIPAA Privacy Rule only allows media personnel to access PHI if the patient has signed a valid authorization.

How can covered entities both protect patient privacy and get media coverage?

  • Develop a process to ensure patients sign an authorization prior to media visits. Have additional authorizations available during the media visit, in case a patient is recorded.
  • Develop a process to ensure that the media does not have access to patients who do not sign an authorization. This may require restricting access by having a staff member accompany members of the media during their visit.
  • Identify locations for interviews where it is unlikely that other patients or PHI will be in the background. An interview may be held in an empty exam room or in front of a backdrop with the organization’s logo.
  • Ensure that computer screens are protected with privacy screens. Have employees access “test” patient accounts in the EMR during filming, instead of accessing accounts of actual patients.

For additional information on disclosures of PHI to the media, see OCR’s 2016 FAQ and FTLF’s webinar PHI for Media and Marketing: Ensuring Your Health Center is HIPAA Compliant.

Questions? If you have questions about this update or other matters, please contact Dianne Pledgie, or call FTLF at (202) 466-8960.

Ms. Pledgie is a member of the New York and Massachusetts Bars and is not licensed in Washington, DC. Her practice is limited to federal health care matters.