privacy rights emergency team with stretcherWe always know when serious stuff has happened behind the scenes and OCR got involved. Some major violations of privacy rights must have happened when we see the OCR notice reminding everyone that you can not share patient information with the media without authorization.

A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

HIPAA Privacy Rights Still Exist – Ep 256

The HIPAA Boot Camp

2020 COVID Session Dates

August 18, 19, 20

Online Version!!

For info go to

Registration Form


Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!
If you would like to donate to the cause you can do that at

Like us and leave a review on our Facebook page:

HIPAA Privacy Rights Still Exist

The guidance was released May 5th and clearly meant to make a point about protecting privacy of COVID-19 patients being treated in facilities where reporters and cameras are around.

OCR Issues Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities

The notice included a special “cheat sheet” or FAQ. I didn’t think it was necessary to reiterate this but then I watched anything about COVID and remembered why they did it.

HIPAA and disclosures of PHI to the media

This virus is going to be with us for a while.  There are plenty of things we must learn in order to handle it as part of our normal routines. Whether that is wearing masks or allowing us to have personal space it takes some getting used to for all of us. Even hand washing has been a new reality to some.  But, having the right to privacy as a patient in your care is not something that is new or something that has changed.  Period.

Let’s review.  What things were eased for the crisis will not stay that way (well except maybe NPP paperwork). There was never a point that the patient’s right to privacy was eased in any way.  Get in line everyone. If we are opening back up you have to put your big girl panties back on and behave as you know you should.  Well for some that means putting on clothes but that is irrelevant here.

The documents released have simple information but it seems we all need to make sure those under our tutelage will need to be reminded of certain things.  Just look at what the FAQ included:

Does the COVID-19 Public Health Emergency alter the HIPAA Privacy Rule’s restrictions on disclosures of protected health information to the media?  


It never did change. Not at all. They had to be this specific in the guidance:

OCR Guidance

As explained in prior guidance, HIPAA does not permit covered health care providers to give the media, including film crews, access to any areas of their facilities where patients’ PHI will be accessible in any form (e.g., written, electronic, oral, or other visual or audio form), without first obtaining a written HIPAA authorization from each patient whose PHI would be accessible to the media. Additionally, covered health care providers may not require a patient to sign a HIPAA authorization as a condition of receiving treatment.

They added the emphasis. I know they wanted to do it in all caps but that really comes later.

May HIPAA-covered health care providers allow media or film crews to film patients in their facilities where patients’ protected health information will be accessible without the patients’ authorization if the patients’ faces are blurred or their identities are otherwise masked in the video?


This one made me take a deep breath. It is like they think it is ok for the reporters, film crew and anyone else that needs to be involved in production to see them and have access to the information as long as they blur out the images when it is broadcast to the public! Really people. I know it feels like the virus is eating our brains even when we don’t have it but come on. This is not new information. Take a minute and think about your patients.

It is important to acknowledge that everyone is one the edge and that probably is a major reason why people made mistakes. But, we all know that some of those mistakes would be made with or without a crisis. Those are the ones that drive me most nuts. I can understand making mistakes under the enormous pressure but other people are supposed to be there to make these kinds of decisions. Maintaining privacy in a crisis should be part of your incident response and business continuity plans. If it is not, add it now.

They pointed out this is not new either. Remember the filming crew settlements a few years ago. We did an episode on them.

In 2016 and 2018, OCR successfully resolved investigations of covered hospitals’ unauthorized disclosures of patients’ PHI to television film crews. All of the cases concluded with corrective action plans and monetary settlements.OCR Guidance May 5, 2020

Can a covered health care provider ever allow the media to film patients in areas of their facilities where patients’ PHI will be accessible?


Here is what they said in a very polite way to address this one more time.

OCR Guidance
If every patient who is or will be in the area, or whose PHI otherwise will be accessible to the media, has first signed a valid HIPAA authorization, then a covered health care provider may permit the media to film in areas of their facilities where patients’ PHI will be accessible.

Even then, covered health care providers must ensure that reasonable safeguards are in place to protect against unauthorized disclosures of PHI. Reasonable safeguards can include installing computer monitor privacy screens to prevent the film crew from viewing PHI on computers, and setting up opaque barriers to block the film crew’s access to the PHI of patients who did not sign an authorization.

I just see the way Tom Hanks screams “THERE’S NO CRYING IN BASEBALL!” and OCR wanting to scream the same way saying “ONLY WITH AN AUTHORIZATION!!!”

More privacy rights failure cases out there

From a listener:

Don’t know if you two have seen this yet, but thought it might be worthwhile for you to hit on the podcast. Really made me pretty mad when I read it. Someone violated HIPAA. Don’t know who, but this is a travesty to me.

Post-it note left for woman diagnosed with COVID-19 reads no more mail delivery

Thanks for all you guys do.

Tony Schloss

Castle Labs

The people diagnosed with COVID-19 still have privacy rights. If they aren’t quarantining properly to protect the public that is a different story. This woman was staying home and doing what she has been asked to do. There was no reason for the violation of her privacy rights at all. Delivering mail to a mailbox out by the street doesn’t expose you to COVID-19.

Privacy Rights Before and After COVID-19

Now seems like a good time to make a list of the things that were eased for the crisis. These protections were not removed in any way. Privacy rights were never suspended by any of these announcements. Time to get ready to go back to HIPAA as normal folks. To be sure we don’t miss anything let’s review the timeline of OCR announcements once again. This time we will make specific points as to what you should make sure you are prepared to return to normal.

February 2020 Bulletin: HIPAA Privacy and Novel Coronavirus

March 28, 2020 BULLETIN: Civil Rights, HIPAA, and the Coronavirus Disease 2019 (COVID-19)

Update on HIPAA and COVID-19 Webinar April 24, 2020

HIPAA and COVID-19 Updates

  • February Bulletin on HIPAA and COVID-19
  • Notification of Enforcement Discretion on Telehealth Remote Communications
  • Guidance on Telehealth Remote Communications
  • Guidance on Disclosures to Law Enforcement, Paramedics, Other First Responders, and Public Health Authorities
  • Notification of Enforcement Discretion on Uses and Disclosures of Protected Health
  • Information (PHI) by Business Associates for Public Health and Health Oversight Activities
  • Notification of Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites

These OCR updates explain where they may relax the enforcement of the rules and regulations to help us get through the crisis. It does not say that the rules are gone. Please keep in mind that we all have privacy rights until we do something that allows others to step in. Even then that should be done by proper authorities following proper procedures.

As we figure out how to live with COVID-19 there will be a lot of missteps and disagreements over what can be shared by whom and with whom. Unless there is a major change made, HIPAA still exists and very little will change once they remove the enforcement discretion period. If anything, we may have to worry about more specific protections for patients who test positive for the disease. It is unlikely these rights and protections will just be removed. We must educate all parties involved, as best we can, to protect everyone in a reasonable and appropriate manner.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.