Three Tips to Protect PHI While Promoting Your Health Care Facility

Hospitals and medical clinics do wonderful work in our communities. Every organization wants to celebrate the work done by its medical professionals. However, sometimes marketing and promotions can open health care providers up to HIPAA claims. As the holidays approach and you consider publicizing the great work of your doctors and nurses, be sure not to disclose protected health information (PHI).

On Nov. 20, 2023, the Department of Health and Human Services’ Office of Civil Rights (OCR) announced a settlement with a New York hospital relating to the disclosure of PHI in an Associated Press article on the hospital’s response to the COVID-19 pandemic. The article contained photographs and information about the hospital’s patients.

OCR determined the hospital disclosed three patients’ PHI to the Associated Press without obtaining written permission from the patients. This information had the effect of disclosing the patients’ COVID-19 diagnoses, current medical status, prognosis and treatment plans.

Based on this disclosure, the hospital agreed to pay an $80,000 civil penalty and implement a corrective action plan, including drafting new written policies and procedures.

OCR media guidance makes clear that covered entities cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI will otherwise be accessible.

Before promoting your services through the media, consider these tips:

1. 1. Members of the media may access areas of health care facilities that are otherwise generally accessible to the public.
   2. Any patient whose PHI is disclosed must sign a release before disclosure.
   3. If a provider contracts with or engages a media company to produce promotional materials that may involve the disclosure of PHI (such as patient testimonials), in addition to any required patient authorizations, the provider must enter into a HIPAA-compliant business associate agreement with the media company.
      • • The business associate agreement must ensure that the media company will safeguard the PHI it obtains, only use or disclose the PHI for the purposes provided in the agreement, and return or destroy any PHI after the work for the health care provider has been completed.
        • As a business associate, the media company must comply with the HIPAA Security Rule and a number of provisions in the Privacy Rule, including the Rule’s restrictions on the use and disclosure of PHI.

Health care providers are important parts of our communities. The services offered by those entities should be widely reported. HIPAA allows covered entities to inform the media of their treatment services and programs so that the media can better inform the public, provided that, in doing so, the covered entity does not share individuals’ PHI without their prior authorization.

Phelps will continue to monitor laws and rules surrounding the marketing of medical practices, advertising and HIPAA disclosures. If you have questions, please contact Andrew Coffman or any member of our Intellectual Property team regarding advertising or Blake Adams or any member of our Health Care team regarding HIPAA disclosures.