These days, news stations are frequently running stories concerning people being treated for COVID-19, the providers working tirelessly to care for them, and politicians visiting health care facilities for a first-hand look at the crisis. In response to the media interest, the Office for Civil Rights (OCR) issued guidance on May 5, 2020 to healthcare providers answering the question “Does the COVID-19 Public Health Emergency alter the HIPAA Privacy Rule’s restrictions on disclosures of protected health information to the media?” The guidance reminds them “that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities” in which patient health information may be accessible without the patients’ authorization. This includes any areas of the facility where patients’ protected health information (PHI) may be accessible in any form (e.g., written, electronic, oral, or other visual or audio form).

During the coronavirus pandemic, film crews and media representatives have parked themselves outside of hospitals and health care facilities and have shown patients being wheeled into hospitals from ambulances to dramatize the strain on the healthcare system and the number of people affected by the coronavirus. In addition, news reporting and special features have been produced to get an inside look into the pandemic from health care providers’ perspectives.Health care providers often transport patients with large sheets covering the patients on stretchers so their identity cannot be disclosed, or show a patient on a respirator or in a bed without showing the patient’s face.The guidance addresses the question “May HIPAA-covered health care providers allow media or film crews to film patients in their facilities where patients’ protected health information will be accessible without the patients’ authorization if the patients’ faces are blurred or their identities are otherwise masked in the video?”The answer in the guidance is just plain “No.” It reminds healthcare providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ PHI will be accessible without the patients’ prior authorization. As the guidance points out, patients are typically surrounded by PHI, including such things as their name or medical record number on room doors or identifying bracelets, notes about care written on bulletin boards, and real-time displays of heart or lung function. In addition, a patient’s presence in an area of a facility dedicated to treatment of a specific disease or condition (such as COVID-19) reveals that patient’s diagnosis.With specific regard to the current COVID-19 public health emergency, the guidance explains that healthcare providers must obtain patients’ consent before the media can be given access to patients’ PHI. Masking or obscuring the patient’s face is insufficient, particularly if the blurring is done after the fact. “Prior, express authorization from the patient is always required.”

The OCR further stated that hospitals “may not allow media personnel access to the emergency department where patients are receiving treatment for COVID-19, without first obtaining each patient’s authorization for such filming.”

According to the guidance, the only time the media or film crew can access any part of the facility where patients’ PHI may be accessible is if “every patient who is or will be in the area, or whose PHI otherwise may be accessible to the media, has first signed a valid HIPAA authorization….Even then, covered health care providers must ensure that reasonable safeguards are in place to protect against unauthorized disclosures of PHI.”

The guidance describes reasonable safeguards that should be used to protect patient privacy whenever the media is granted access to facilities. Such safeguards can include installing computer monitor privacy screens to prevent the film crew from viewing PHI on computers, and use of opaque barriers to block access to the PHI of patients who did not sign an authorization.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.