A large hospital network in New Hampshire reached a settlement with HHS’ Office of Civil Rights (OCR) of $80,000 and a corrective action plan for oversharing patient information with the press. OCR states during the COVID-19 pandemic the hospital shared images and information that was distributed on a national level violating the HIPAA Privacy Rule.

This could have been avoided by a few cautionary steps. OCR highlights the importance of receiving written consent from all patients included in images and information. However, the process and procedure must be initiated and managed by a designated representative for consistency.

If you’re unsure where the responsibility of managing interactions with the press should lie, we suggest starting with your Incident Response Plan. While dealing with the media may not be deemed an incident right away, it should be handled by those who are well versed in HIPAA Privacy and Security Compliance to avoid a breach of patient information. If you already have an Incident Response (IR) plan in place you can borrow from that section of the plan for this process. Within your IR plan there should be a section regarding a representative(s) that is responsible for communicating with the media if/when needed. We suggest starting with this department/person along with your Privacy or Compliance Officer, legal counsel and, if applicable, your Public Relations representative. With these experts in the same room, you can build from the already in place IR plan on how to deal with the press overall. The list of positions or people that are approved to communicate with the press should be clearly documented and easy to find. The media may not give you notice prior to coming to your facility so it is important to outline in detail what the parameters are and hold regular reminder training, so the designated representatives are very familiar with the process.

Additionally, and potentially the most important item to highlight, it is imperative that all organizational staff are trained and have regular reminders of how to handle any media requests should they be asked. This could be coupled with a social media policy outlined in your handbook and reiterated in the annual HIPAA Compliance training they receive. An employee may have good intentions of responding to a media request, but it is crucial that they do not unless they are the designated representative outlined in the above discussed policy and procedure.

Having this process in place could save your organization time, money, and reputation. On top of the fine for a violation of this nature OCR can also issue a corrective action plan and monitor the organization’s progress. The monitoring time frame is generally for 2 to 3 years.