Care to comment on the NY Times Baby Picture Kerfuffle?
Happy to! For those who missed the NYT's article published on August 10th, click here
to read reporting on large institutions encouraging practitioners from posting baby photos as a prohibited practice under HIPAA.
We can all agree there is merit to the HIPAA laws protecting patient privacy. To assert having our private health information as public record would a deterrent to care is an understatement and would significantly make light of a legitimate patient concern. However, where do we draw the line between protective and preposterous? Oftentimes the line is thin and not obviously recognizable, and oftentimes laws, rules and regulations are drafted with wide room for interpretation. Here too, the HIPAA law leaves itself to interpretation, sometimes explained through its enforcement. To shed some light on applicable definitions - HIPAA protects and requires protections of all individually identifiable information unless proper consent is obtained/received. So, the question at issue here, is whether a baby photo constitutes "individually identifiable information", which may also be taken through context. Would images of a baby on hospital surveillance constitute individually identifiable health information? Would that surveillance also capture the baby's name potentially, address or possibly parent insurance information? In context, that baby image, if public, would potentially, or absolutely cause a stir and cause for concern. The issue discussed in the NYT article, posting baby photos submitted by parent's that are hung anonymously and very arguably would not be easily, if at all, be traced back to an individual, is remarkably different than the surveillance example. Here we have (assumed) a legal guardian, most likely an authorized parent, sharing a treasured photo (presumably consent, implied if not explicit).
To this date I am unaware of the Office for Civil Rights targeting any practitioner for posting baby photos. Similarly, the Office for Civil Rights does not address release of photos, or in particular, baby photos, as a cause or area of particular concern.
So, where do I shake out on this issue - posting of images that are most likely not "individually identifiable", for which consent is implied, is likely a low risk for HIPAA exposure. If you are concerned about HIPAA, which we all should be given increased enforcement, and you wish to be extra careful, ask parents to sign a short release authorizing posting of a submitted baby photo. Happy to help with drafting if requested.