Do Family, Friends' Photos Trigger HIPAA Violations?
News that Martin Memorial Medical Center in Stuart, FL, disciplined several employees for taking cell phone pictures of the victim of a Feb. 3 shark attack who later died has generated a lot of interest on our HealthLeaders Media Web site.
The Martin Memorial incident was a clear violation of HIPAA privacy laws. What happens, though, when the shutterbug is not an employee, but a relative or a friend of the patient or even someone walking through the emergency department who otherwise has no connection with the patient or the hospital?
Digital cameras are standard equipment on most cell phones. This could make anyone walking into your hospital a potential photojournalist.
An emergency clinician—who is not connected to Martin Memorial or the shark attack incident—sent me an email asking that question. He writes:
"I am a provider working in the ER and have often had a case where either family or friends are taking pictures of the patient that is getting a splint after breaking something or in the process of getting stitched up. I often don't know this is happening until the cameral flash is going off and next thing you know, I am on someone's Facebook page stitching up their friend in the ER (my patient)."
"I realize we can't stop the interest of family and friends and their uncontrolled urges to capture every moment with the advances of technology and a camera on everyone's phone. The question that I raise is how does this work with HIPAA? Should we be banning camera phones in the ER/hospitals/clinics? Good luck with that one. Are the medical providers or the facilities at risk for violations?"
"Obviously a provider or other medical employee would face violation if these were taken and released, but what about something coming back to us that originated from a non-medical providers phone camera and the patient that agreed to have the picture taken due to peer pressure only to regret it later?"
I asked the Department of Health and Human Services' Office of Civil Rights about it. They replied: "Entities subject to the HIPAA Privacy and Security Rules are covered entities: health plans, healthcare providers, and healthcare clearinghouses. Generally speaking, a covered entity would not be responsible for the actions by a patient's friends or family."
So it appears that you and your hospital are off the hook if family or friends are taking the pictures. We live in a very litigious society, however. Can a patient sue his hospital for failing to protect his privacy when a stranger–someone not connected to the provider or the patient—takes a quick cell phone photo of the patient waiting in a hallway, or lying on a gurney?