Skip to main content

Do Family, Friends' Photos Trigger HIPAA Violations?

 |  By John Commins  
   March 08, 2010

News that Martin Memorial Medical Center in Stuart, FL, disciplined several employees for taking cell phone pictures of the victim of a Feb. 3 shark attack who later died has generated a lot of interest on our HealthLeaders Media Web site.


The Martin Memorial incident was a clear violation of HIPAA privacy laws. What happens, though, when the shutterbug is not an employee, but a relative or a friend of the patient or even someone walking through the emergency department who otherwise has no connection with the patient or the hospital?

Digital cameras are standard equipment on most cell phones. This could make anyone walking into your hospital a potential photojournalist.

An emergency clinician—who is not connected to Martin Memorial or the shark attack incident—sent me an email asking that question. He writes:

"I am a provider working in the ER and have often had a case where either family or friends are taking pictures of the patient that is getting a splint after breaking something or in the process of getting stitched up. I often don't know this is happening until the cameral flash is going off and next thing you know, I am on someone's Facebook page stitching up their friend in the ER (my patient)."

"I realize we can't stop the interest of family and friends and their uncontrolled urges to capture every moment with the advances of technology and a camera on everyone's phone. The question that I raise is how does this work with HIPAA? Should we be banning camera phones in the ER/hospitals/clinics? Good luck with that one. Are the medical providers or the facilities at risk for violations?"

"Obviously a provider or other medical employee would face violation if these were taken and released, but what about something coming back to us that originated from a non-medical providers phone camera and the patient that agreed to have the picture taken due to peer pressure only to regret it later?"

I asked the Department of Health and Human Services' Office of Civil Rights about it. They replied: "Entities subject to the HIPAA Privacy and Security Rules are covered entities: health plans, healthcare providers, and healthcare clearinghouses. Generally speaking, a covered entity would not be responsible for the actions by a patient's friends or family."

So it appears that you and your hospital are off the hook if family or friends are taking the pictures. We live in a very litigious society, however. Can a patient sue his hospital for failing to protect his privacy when a stranger–someone not connected to the provider or the patient—takes a quick cell phone photo of the patient waiting in a hallway, or lying on a gurney?

John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, says hospitals should post signs at the entrance to the ED or near ED examining rooms stating that picture taking is not permitted. That way, if a visitor ignores the rules, takes a picture and posts it online, the hospital can at least demonstrate that it was exercising reasonable measures to protect patient privacy. "To me, the posting prohibiting picture taking would represent another example/level of ‘due diligence' on the part of the hospital," Parmigiani says.

Kate Borten, CISSP, CISM, president of The Marblehead Group, says HIPAA expects healthcare providers to take "reasonable" measures to protect patient privacy, but also "accepts situations such as waiting rooms where patients can be seen by the public or a family member accompanying a patient to a bed in the ER. As long as the hospital wasn't doing something out of the norm, then it shouldn't have any liability when a member of the public snaps a picture."

HIPAA makes an "absolute distinction" between the hospital's workforce (a term defined in the regulations) and everybody else. "Organizations are responsible for the actions of their workforce, but not for the rest of the world," Borten says.

Given the frivolous or groundless nature of some lawsuits, it's understandable if hospitals and their employees are skittish about patient privacy violations. In the case of the shark attack victim at Martin Memorial, they should be skittish. They screwed up. However, if you exercise common sense and simply recognize that the person you're treating deserves the same respect and confidence that you'd want for yourself or your family, you shouldn't have anything to worry about.

Note: You can sign up to receive HealthLeaders Media HR, a free weekly e-newsletter that provides up-to-date information on effective HR strategies, recruitment and compensation, physician staffing, and ongoing organizational development.

John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.

Tagged Under:

Get the latest on healthcare leadership in your inbox.