Do Family, Friends' Photos Trigger HIPAA Violations?

John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, says hospitals should post signs at the entrance to the ED or near ED examining rooms stating that picture taking is not permitted. That way, if a visitor ignores the rules, takes a picture and posts it online, the hospital can at least demonstrate that it was exercising reasonable measures to protect patient privacy. "To me, the posting prohibiting picture taking would represent another example/level of ‘due diligence' on the part of the hospital," Parmigiani says.

Kate Borten, CISSP, CISM, president of The Marblehead Group, says HIPAA expects healthcare providers to take "reasonable" measures to protect patient privacy, but also "accepts situations such as waiting rooms where patients can be seen by the public or a family member accompanying a patient to a bed in the ER. As long as the hospital wasn't doing something out of the norm, then it shouldn't have any liability when a member of the public snaps a picture."

HIPAA makes an "absolute distinction" between the hospital's workforce (a term defined in the regulations) and everybody else. "Organizations are responsible for the actions of their workforce, but not for the rest of the world," Borten says.

Given the frivolous or groundless nature of some lawsuits, it's understandable if hospitals and their employees are skittish about patient privacy violations. In the case of the shark attack victim at Martin Memorial, they should be skittish. They screwed up. However, if you exercise common sense and simply recognize that the person you're treating deserves the same respect and confidence that you'd want for yourself or your family, you shouldn't have anything to worry about.