(One caveat: I am not a healthcare attorney: I am a healthcare marketer. If you have a legal question, consult your corporate attorney. This post contains my interpretation of the implication of HIPAA regulations impacting business associates [photographers, videographers, ad agencies] that a hospital may employ. I am offering common sense advice, not legal expertise.)
The Health Information Portability and Accountability Act (HIPAA), defines a business associate as any organization or person working in association with or providing services to a covered entity who handles or discloses Personal Health Information (PHI) or Personal Health Records (PHR). For those of use working in healthcare marketing and communications, that includes videographers, photographers, media companies, advertising agencies and marketing firms, among others. There are special measures these organizations must take to ensure the security of private health information that they may gather as they work with their healthcare clients. All of us need to be aware of these and remain vigilant.
Updates made to the HIPAA regulation by the HITECH Act require business associates to comply with HIPAA mandates regarding the handling and use of PHI. As of February 18, 2010, the Department of Health and Human Services can audit business associates for HIPAA compliance.
Any company working with private health information should conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by that entity. Risk assessments should be conducted at regular intervals, and documented. Policies should be updated periodically as well.
If, as a hospital marketing professional, you allow a vendor to leave your facility with private health information, you need to know that they have systems in place for properly safeguarding that information. It is not enough for them to tell you that they will “blur out the patient’s information” from the finished video or photograph. Trust me, I hear this all the time. It does not satisfy the requirements for the safeguarding of private health information under HIPAA.
Here’s a very real scenario:
A video crew is shooting a monitor in your hospital’s cath lab. They promise to blur out the patient’s information in the finished video. You allow them to leave with the patient’s private health information recorded on digital video. Even if they blur out the patient’s information in the final product, what happens to the raw digital files? How are those safeguarded? How are they protected from a potential security breach, if at all? These are the things you need to know.
My preference would be that you not allow business associates or vendors to capture private patient health information at all. If you’re shooting monitors, use black tape to cover up any information that may identify the patient. Why even risk having private health information exposed unnecessarily? That is far different from photographing and videotaping patients that have signed a HIPAA release. (Remember, a standard photographer’s release is not sufficient when dealing with patients.)
Things you should know:
You should also know if your vendor has assigned a Security Official to oversee the development, implementation, monitoring, and communication of security policies and procedures within the organization. How are digital files stored to maintain security? When employees of the firm access files that contain private information, is each point of access logged properly? What are the firm’s policies and procedures for granting access to electronic protected health information; for example, through access to a workstation, transaction, program, process, or other mechanism? Has the organization implemented a security awareness and training program for all members of its workforce (including management)? There should be procedures in place for guarding against, detecting, and reporting malicious software; monitoring log-in attempts and reporting discrepancies; creating, changing, and safeguarding passwords.
If you’d like to learn more, I recommend checking out the HHS Audit Protocol.