Patient Images and Privacy Requirements
Earlier this year, Medscape published a discussion by a lawyer-engineer about some of the risks when transmitting patient images for publication. The situation that precipitated the commentary was one of those "oops" human errors that happen from time to time. A group of authors had submitted cropped photos of patients to a publication that requested copies of the original images, which were also provided. When the article was published, the authors were shocked to see that the printer had inadvertently reproduced the un-cropped images including identifying information that they had masked out.
Unless the authors had prior written permission to transmit Protected Health Information [PHI], this is clearly a violation of the Health Insurance Portability & Accountability Act [HIPAA]. Interestingly, the attorney who authored this piece opined that the journal most likely had no HIPAA liability, even though their printer disclosed the protected data, because neither is considered a covered entity under the law. Since the authors are almost certain to be covered entities [as health care workers], they would be liable for this breach and subject to the fines and prison terms that could result!
This is a timely reminder to all practitioners to remain vigilant about inadvertently disclosing patient information. Having the best of intentions is NOT a defense!
There are two methods to comply fully with the HIPAA laws. The first is to obtain specific written permission from the patients to disclose PHI. People are increasingly unwilling to sign blanket permissions of this sort, but many are willing to sign a release when it is explained that reporting some facts from their case could help improve care for others in the future.
The second, and often more practical approach, is to render information "not identifiable" - which is what the authors tried to do in this instance. The law states that a person "with appropriate expertise" can render information not identifiable by determining that the risk is very small that it could be used alone - or in combination with other reasonably available information - to identify the individual. However, the methods and results of the analysis that justifies this decision must be documented. Just deciding it is OK to send cropped images will NOT suffice!
The law specifies certain "identifiers" that must be removed or coded to obscure their meaning to avoid disclosing PHI:
-Names
-All geographic subdivisions smaller than a State
-All elements of dates (except year) related to an individual, including birth date, admission date, discharge date, date of death. [For individuals > 89 years of age, year of birth cannot be used - all elements must be aggregated into a category of 90 and older.]
-Telephone and FAX numbers
-Electronic mail addresses
-Social Security Number
-Medical record numbers
-Health plan beneficiary numbers
-Account numbers
-Certificate/license numbers
-Vehicle identifiers and serial numbers, including license plates
-Device identifiers and serial numbers
-Web universal resource locators (URLs)
-Internet protocol (IP) address
-Biometric identifiers, including finger and voice prints
-Full face photos, and comparable images
-Any unique identifying number, characteristic or code
While most of these are commonsense restrictions, CPOs should be wary about seemingly harmless disclosures such as the year of birth for clients older than 89 or the county or city of residence for any patients. Disseminating this information to unauthorized sources would be prima facia violations of Federal law.
"Comparable images" will gradually become more clearly defined by case law based on litigation in coming decades. For now, this remains an ill-defined "gray area" in the law. It seems unlikely that a photo of an uncomplicated transtibial residual limb would be considered PHI but a traumatic amputation with unique scar patterns is not as "generic" an image. Furthermore, disclosure of related data such as patient initials, diagnosis, and treating physician would increase the chances that a specific individual could be connected to the RL image, particularly in combination with the address of the facility [which identifies the specific location of treatment]. "Indentifiable" is presently in the eye of the beholder, so clinicians would be well advised to interpret this definition conservatively until the courts have better clarified this aspect of the privacy requirements.
Partners™ Healthcare System in Boston has a very concise discussion of de-identified information and related HIPAA topics at healthcare.partners.org/phsirb/deidinfo.htm
