OCR Warns Hospitals: No News Media in Treatment Areas Without Patient Authorization

May 27, 2020 David Holtzman

The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) recently issued guidance and FAQs reminding health care providers that the COVID-19 public health emergency has not changed the federal health privacy protections concerning disclosure to the media an individual’s health information or reporting on their treatment. OCR has previously placed special emphasis through its enforcement activity that the HIPAA Privacy Rule does not permit health care providers to give media and film crews access to facilities where patients or their protected health information (PHI) will be accessible without the patients’ prior authorization.

The most recent guidance explains that even during the current COVID-19 public health emergency, health care providers are still required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI.  The accompanying FAQ goes on to clarify that masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient’s treatment or testing in a community based testing site is not sufficient, as a valid HIPAA authorization is still required before giving the media access to the facility or treatment area.  In addition, the guidance describes reasonable safeguards that should be used to protect the privacy of patients whenever the media is granted access to facilities.

However, OCR’s decision to relax enforcement of the HIPAA standards for healthcare providers operating some COVID-19 testing sites removes the threat of the agency levying fines or penalties for violations of the Privacy or Breach Notification Rules when a covered entity allows members of the media to observe or film treatment associated with services provided contemporaneously to the testing service.

The Notice of Enforcement Discretion for Community Based Testing Sites During the COVID-19 Nationwide Public Health Emergency encourages, but does not require, covered entities and business associates operating Community Based Testing Sites (CBTS) to put into place physical safeguards to shield patients from view during the testing process as well as to provide a buffer to keep the media away from patients at a CBTS.[i]

The HIPAA Privacy Rule balances patients’ rights to control how and when their protected health information is disclosed for purposes outside of treatment while allowing health care providers flexibility to use and disclose PHI in order to treat that patient or coordinate the continuation of that care with family members and partners.

While OCR has used its enforcement discretion during the COVID-19 public health emergency, OCR has drawn a line in the sand that covered entities risk consequences when disclosing PHI to the media without patient authorization. Health care providers must approach very carefully the risks of their obligations to shield PHI when exposing patients or their treatment records to the glare of television lights or a reporter’s notebook without first obtaining an authorization that meets the requirements of the HIPAA Privacy Rule.

[i] OCR encourages covered health care providers participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of individuals’ PHI. Reasonable safeguards include the following: ….

  • Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples….
  • Establishing a ‘‘buffer zone’’ to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming….

Although covered health care providers and business associates are encouraged to implement these reasonable safeguards at a CBTS, OCR will not impose penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in connection with the good faith operation of a CBTS.


[1] OCR encourages covered health care providers participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of individuals’ PHI. Reasonable safeguards include the following: ….

  • Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples….
  • Establishing a ‘‘buffer zone’’ to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming….

Although covered health care providers and business associates are encouraged to implement these reasonable safeguards at a CBTS, OCR will not impose penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in connection with the good faith operation of a CBTS.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter
Previous Article
Enforcement of CCPA Begins July 1st While Regulations Still in the Offing
Enforcement of CCPA Begins July 1st While Regulations Still in the Offing

With the start of enforcement of the California Consumer Privacy Act (CCPA) arriving in a few days, the jou...

Next Article
CMS Waivers Under COVID-19: An Overview of Compliance Considerations – Part 4
CMS Waivers Under COVID-19: An Overview of Compliance Considerations – Part 4

In part 4 of this blog series, Marti Arvin discusses compliance considerations around the waivers that the ...