Stemple Quoted on Avoiding PHI Disclosure with Strong HIPAA Compliance Programs

Hillary said that the settlement is a clear example of why covered entities should remember that HIPAA requirements apply to all facets of their organization, not just those involving PHI for treatment, payment, or operational purposes. She added that HIPAA explicitly requires obtaining valid, written authorization prior to using PHI in marketing materials.

“Essentially, the settlement is a reminder of how vital it is to have a robust HIPAA compliance program. This includes implementing role-specific training throughout organizations to account for individuals whose job functions require them to either commonly or rarely use PHI,” Hillary said. “This ensures that all workforce members understand what restrictions apply and when to ask questions or raise potential concerns to the appropriate supervisor, compliance officer, or privacy and security officers.”

Hillary said that covered entities should always consider whether HIPAA applies and that a strong HIPAA compliance program can help the entity’s workforce understand what information, photos, or combination of details constitutes PHI and triggers the requirement to secure authorization.

“Consistent HIPAA training also ensures that everyone understands when an authorization is valid,” Hillary said. “This helps to avoid situations where, for example, a workforce member believes they can rely on a patient’s verbal consent for the use of PHI in marketing initiatives and then fails to obtain a valid, written authorization.”

Hillary said that the settlement highlights the growing intersection of HIPAA and public-facing websites and apps where patient images, which can constitute PHI, may appear. If a covered entity relies on these platforms for marketing purposes, they should have processes in place to obtain authorizations prior to posting patient images and routinely audit compliance with those policies.

“Such reviews should also include assessing whether the organization is using patient photos on public-facing websites and apps and whether valid HIPAA authorizations support such uses and disclosures,” she said, adding that if a covered entity wants to use photos and images for marketing, it can minimize the risk of violating HIPAA by obtaining authorizations as part of the initial patient intake or onboarding process, ensuring each patient understands that their PHI may be used in marketing campaigns in the future. If it is not feasible, the covered entity can develop specific marketing protocols that require obtaining valid authorizations when rolling out new initiatives that involve patient photos or images, she said.

“A covered entity’s marketing team could also work with the organization’s compliance officer to develop a ‘library’ of images from patients who have signed authorizations on file granting the provider permission to use their photos or images,” Hillary said. “This library could be maintained specifically for marketing purposes and updated with each new patient who provides the required authorization. In this case, it would also be prudent to develop policies around removing PHI from the library if explicitly requested by a patient or upon expiration of the authorization.”

She said that marketing teams may no longer be relying on formal photo shoots to capture images for patient testimonials or examples of patient activities because of the convenience of using a cellphone, particularly when posting on social media.

“There is a real risk that a marketing representative may take a patient’s photo using a phone without thinking about the HIPAA implications. Particularly if the marketing representative forgets to delete the photo from their phone and inadvertently shares a patient’s image or information,” Hillary said. “This is why proper training is so crucial. Not only does it help provide oversight at a company level, but it helps train individuals on how to differentiate between improper and proper uses and disclosures of PHI.”

If a covered entity discovers that photos containing PHI have been used for marketing purposes without adequate authorization, the appropriate team members should immediately remove those images from any public facing platform and replace them either with stock images or photos of patients who have consented to their information being used, she said.

Hillary added that the next step would be to conduct an internal breach assessment to determine whether the unauthorized use of the photos created a reportable breach. If the assessment indicates that a breach occurred, the covered entity should notify the affected individuals and develop internal policies to ensure that, going forward, valid authorizations are obtained for any patient images the entity wants to use for marketing purposes.

Read the full article here.