Last Sunday’s New York Times article by Anemona Hartocollis on the illegality of posting baby pictures in a doctor’s office made me wonder if anyone I know could pick my kids’ faces out of a line up of cute newborn photos posted on the wall of a doctor’s office.
I like to think my kids had the most adorable, memorable baby faces ever, but the reality is that most babies are adorable and I’m not sure even my closest friends would recognize my kids’ faces in a doctor office baby photo collage. If not, would their photos even be protected health information (PHI) — or would this posting really jeopardize the privacy or security of the PHI in a manner violative of HIPAA?
Before HIPAA hullabaloo becomes HIPAA hysteria, it’s often helpful to do a quick run down of a few important (albeit oversimplified) HIPAA basics:
- PHI is “individually identifiable health information”
- “Individually identifiable health information” is a subset of health information that is:
- created or received by a health care provider;
- relates to the past, present or future physical or mental health or condition of an individual or the past, present or future provision of health care to an individual; and
- identifies the individual.
OK, let’s say a proud parent sends the doctor a photo of a blinking or sleeping newborn, or even a picture of a smiling toddler, presumably because the doctor treated the child (or, in the case of an ob/gyn, treated the mother – who, by the way, is not in the photo to begin with in my scenario). The doctor then adds the photo to a collage or gallery of photos posted in the doctor’s waiting room that has no names, dates, or other identifiers. If the doctor actually treated the baby or child, the receipt and posting of the photo could be viewed as being “related to” past treatment of the baby or child (though perhaps the doctor includes friends’ and family members’ cute baby photos in the collage, as well). If third parties could look at the photo and identify the baby or child, arguably the case for some limited period of time (which period is particularly limited, most would agree, in the case of a newborn photo), and it’s obvious that the photos are all photos of the doctor’s patients, then I could concede that the photo constitutes PHI.
But that wouldn’t mean the waiting room posting was necessarily a HIPAA breach, even without the appropriate written, HIPAA-compliant authorization.
Another (again, oversimplified) HIPAA basic:
- A “breach” excludes a disclosure of PHI where a covered entity (here, the doctor) has a “good faith belief” that an unauthorized person to whom the disclosure was made (other patients or visitors to the office, if the parent did not authorize the posting) would not reasonably have been able to retain the information.
Here’s where the facts and common sense come into play. Let’s say the doctor’s office posts a sign requesting that patients and visitors not use cell phones in the waiting room, and that a receptionist or staff member has full view of the waiting area. Let’s also imagine that the baby photo gallery contains dozens, or even hundreds, of baby photos. Arguably, it is not very likely that the parent waiting with a kid at the pediatrician’s office, or even the interviewing staff member or waiting vendor, will memorize an individual baby’s face so as to identify that baby as having received services from this doctor.
I admit to spending a great deal of time trying to prevent HIPAA breaches, but sometimes HIPAA compliance morphs into unnecessary HIPAA hullabaloo that can be calmed by a quick review of HIPAA basics, some common sense, and a few deep breaths.