Physician Office Baby Photos on Display Require HIPAA Authorization

According to a recent article in the New York Times, a Health and Human Services Office of Civil Rights (“OCR”) spokesperson has confirmed that photos on display in a physicians’ office (such as those frequently displayed by Obstetricians or Pediatricians) violate HIPAA unless the parents have signed a HIPAA compliant authorization.  The OCR spokesperson noted that the fact that the parents sent or otherwise provided the photos to the physician’s office is not sufficient authorization for HIPAA compliance.

According to the HIPAA regulations, a full face photographic image is one of the 18 identifiers that results in information being considered “protected health information” or PHI.  Absent a specific HIPAA exception, PHI can only be disclosed for treatment, payment, or health care operations, unless the patient or the patient’s personal representative signs a HIPAA compliant authorization.

In order to be HIPAA compliant an authorization must be signed and dated by the patient or the patient’s personal representative (including a statement of the personal representative’s authority) and must include all of the following:

  1.  A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
  2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
  3. The name or other specific identification of the person(s) or class of persons, to whom the covered entity may make the requested use or disclosure;
  4. A description of each purpose of the requested use or disclosure; and
  5. An expiration date or expiration event that relates to the individual or the purpose of the use or disclosure.

Because of the detailed requirements of a HIPAA authorization, a note accompanying the photo indicating that the photo could be placed on display would not be sufficient to comply with HIPAA.

The OCR spokesperson noted that no physician offices to date have been fined for noncompliance.

Speak Your Mind

*