Fall, 2015
HOLIDAY CHEER COULD LEAD TO HIPAA JEER
By Robert Fallen, BACTES Privacy Officer
As the holidays are approaching, many physicians’ offices, hospitals, and their associates will no doubt be planning and hosting
parties in celebration of the holidays. However, in this technologically-advanced era where mobile phones are capable of
producing high quality pictures or videos that can be instantly shared between devices and/or social media websites, we must
all be aware of our surroundings before capturing these treasured moments. What may seem to be an innocent picture or
video taken in the workplace where protected health information (PHI) is kept, could easily pose a risk of a breach as the
following events clearly show:
In 2014, staff members and physicians celebrated Halloween by dressing up as their favorite super heroes and pictures taken by
an employee throughout the day were posted to a social media website. One picture in particular was taken of a physician
who, unknowingly to the employee, was entering exam notes in a patient’s electronic medical record. When a coworker viewed
the posted pictures several days later, he took note of the computer screen in
front of the physician. Out of curiosity, he enlarged the digital image and much
to his surprise and shock, he could clearly make out the patient’s name, birth
date, medical record number, and date of the visit! As any well-trained
employee should do, he promptly notified the office manager who instructed
the employee who posted the picture to immediately remove it from the
website. Although there was no intent to harm, the fact that a patient’s PHI
could have been viewed by anyone not authorized to do so, resulted in a HIPAA
breach in which the patient and the state public health department had to be
notified. The physician’s office has since implemented a policy prohibiting
anyone from taking photographs in work areas where PHI could exist.
You may be asking yourself, “How can that be a breach?”
A breach is defined as the unauthorized acquisition, use, access, or disclosure of PHI which compromises the privacy and
security of an individual’s information. Any actions that violate privacy laws and regulations, regardless of intent, can result in
progressive disciplinary action or termination, a corrective action plan imposed by the Office of Civil Rights, civil penalties, or
even criminal prosecution involving some violations willfully committed. So, before the holiday season begins and memories are
captured on film or video and shared with the internet community, I would like to take this opportunity to offer some practical
advice regarding the use of photography and social media.
‒ Develop policies and procedures, tailored to your work environment regarding the use of photography and social media.
Ensure that policies and procedures are easy to read and understand, provide accurate definitions, address specific issues,
define what is acceptable and what is prohibited, instruct on how to respond to a violation, and outline the consequences
faced when a violation of a policy occurs.
‒ Implement the approved policies and procedures and provide necessary training to ALL workforce members. Education and
training is essential and a key component to ensure workforce members understand the importance of protecting patient
privacy and confidentiality and the penalties for not doing so.
‒ Observe the workplace environment and behavior to gauge the effectiveness of the policies and procedures and correct
workforce members who do not understand or neglect to follow them.
‒ Review key policies and procedures annually. The frequency and scope of the review can be adjusted as circumstances
change or needs dictate.
Please don’t think I’m the boogeyman or Scrooge on a mission to ruin your holiday fun. I just want to ensure that everyone’s
time is spent enjoying each other’s company and celebrating the spirit of the holidays by calling your attention to something
innocent that could easily result in unfortunate consequences. And this applies to any celebration, not just Halloween! So from
the Privacy Office at BACTES, we wish our employees and our clients a joyous, happy, and uneventful HIPAA holiday season!!
***
BACTES Imaging Solutions, LLC  800.560.3800  www.bactes.com