Tag Archive for: patient authorization

Posting Patient Photos

/in /by

In 2014, the Office for Civil Rights addressed the issue of posting patient photos in a medical or dental practice (most commonly of pediatric and orthodontic patients). In an article dated August 9, 2014, the New York Times quoted Rachel Seeger, from the Office for Civil Rights of the Department of Health and Human Services, as saying “A patient’s photograph that identifies him/her cannot be posted in public areas” unless there is “specific authorization from the patient or personal representative.” Under HIPAA’s Privacy Rule, sharing identifiable information without an authorization from the patient (or the patient’s parent, in the case of a minor) is a violation.

Rarely, if ever, does a parent know to include an authorization with a photo submission. It seemed to make perfect sense that submission of a patient photo was, by default, an authorization for its posting. However, since the OCR has specifically addressed the issue, we don’t recommend posting photos without a proper authorization form in place.

If your practice does not have the time or resources to track down authorizations for photos sent in by families, you are permitted to post photos in a private staff area, as workforce members are permitted to view patient information, and are responsible to hold it confidential under HIPAA regulations. Other practices may choose to circulate photos among staff before filing them in a patient chart or shredding them. However, if it has become an important custom in your practice to share patient photos, such as by posting them in the waiting area, you may use the following language and required elements to develop an appropriate authorization form.

  1. Include a space for the patient or personal representative to record the patient name, and an identifier, such as date of birth.
  2. Include the name of the practice, under a heading “Entity Requested to Release Information.”
  3. Purpose of Request/Entity Authorized to Receive Information – I authorize the entity identified above to disclose the protected health information described below to the following individual(s):

    • Patients and visitors to the practice.”
  4. Description of Information to Be Disclosed – I authorize the practice to disclose the following protected health information to the entity, person or persons identified above.

    • Images of myself, my children, and/or other family members as provided by myself, or my personal representative.
  5. Purpose of Disclosure:

    • By submitting these images, I hereby grant full permission to the practice to use them in print publications, video and multimedia presentations, websites and/or for any purpose which may include, but not be limited to display, public relations, marketing or designs.
  6. Required Statements:

    Include an expiration date or meaningful event when the authorization will expire, a statement regarding the patient/personal representative’s right to terminate the authorization, a non-conditioning statement, a re-disclosure statement, and a statement of the patient/personal representative’s right to receive a copy of the authorization upon request. All of these statements are required on any HIPAA authorization form. Simply copy the required statements from your practice’s other authorization forms.

  7. Include a signature and date line.
Subscribers to the HIPAA Compliance System may access a photo release authorization form (Form 7.31 Limited Patient Authorization for Disclosure of PHI/Photo Release) in the Member Services area of our website (on the HIPAA Compliance System materials page, under the HIPAA Forms heading). The form is in a word processing format so that it can be easily customized to the needs of your practice.

HIPAA Privacy and the Opioid Crisis

/in /by

The Office for Civil Rights has issued new guidance on when and how healthcare providers can share a patient’s health information with his or her family members, friends, and legal personal representatives when the patient may be in crisis and incapacitated, such as during an opioid overdose.

The following information will explain how a practice can share patient information (without patient authorization) with family members or designated friends during certain crisis situations, such as the opioid situation.

  1. Sharing health information with family and close friends who are involved in care of the patient if the provider determines that doing so is in the best interest of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s healthcare or payment for care.  For example, a provider may use professional judgment to talk to the parents of someone incapacitated by an opioid overdose about the overdose and related medical information, but generally could not share medical information unrelated to the overdose without permission.
  1. Informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.  For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge.

For patients with decision-making capacity: A health care provider must give a patient the opportunity to agree or object to sharing health information with family, friends, and others involved in the individual’s care or payment for care. The provider is not permitted to share health information about patients who currently have the capacity to make their own health care decisions, and object to sharing the information (generally or with respect to specific people), unless there is a serious and imminent threat of harm to health as described above. 

Decision-making incapacity may be temporary and situational, and does not have to rise to the level where another decision maker has been or will be appointed by law.  If a patient regains the capacity to make health care decisions, the provider must offer the patient the opportunity to agree or object before any additional sharing of health information.

For example, a patient who arrives at an emergency room severely intoxicated or unconscious will be unable to meaningfully agree or object to information-sharing upon admission but may have sufficient capacity several hours later. Nurses and doctors may decide whether sharing information is in the patient’s best interest, and how much and what type of health information is appropriate to share with the patient’s family or close personal friends, while the patient is incapacitated so long as the information shared is related to the person’s involvement with the patient’s health care or payment for such care.  If a patient’s capacity returns and the patient objects to future information sharing, the provider may still share information to prevent or lessen a serious and imminent threat to health or safety as described above.

While HIPAA provides a patient’s personal representative the right to request and obtain any information about the patient that the patient could obtain, and under state law, a personal representative designation generally authorizes the person to make healthcare decisions for the patient, there may be conflict with existing state laws regarding information related to substance abuse treatment.  If a state’s law is more restrictive regarding the communication of patient information (for example, state law might state that substance abuse treatment information can only be shared with treatment personnel involved in treatment), then your practice should rely on the requirements of the more restrictive law (in this example state law).

Disclosure to Medical/Dental Device Companies

/in /by

We are often asked whether a patient authorization is required in order to disclose protected health information (PHI) to a medical or dental device company. Similarly, practices have asked whether device companies will be considered business associates of the practice. The answer to both questions lies in whether or not the device company is considered a healthcare provider, as defined by the Privacy Rule.

A healthcare provider is defined as an entity that furnishes, bills or is paid for healthcare in the normal course of business.

If the device company provides healthcare (care, services or supplies related to the health of an individual), the company will be considered a healthcare provider (and must comply with HIPAA requirements as a covered entity). A patient authorization is not required in order to disclose PHI to other healthcare providers that are involved in the treatment of a patient. Nor is a business associate agreement required with such entities.

For more detailed information, please see the article “Medical & Dental Device Companies” in the December 2015 Advisor.