By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
This post was inspired by a discussion with Dissent who runs DataBreaches.net. As a matter of circumstance, this post went live before Dissent posted about a specific website and the thoughts offered by a few other legal or security professionals. To get more insight, Dissent’s article about newborn photos should not be missed.
Privacy and security of personal information are topics of constant discussion inside and outside of healthcare. Current events keep the heat on as one or the other never strays very far from headlines. The Facebook breach/expected use of data (angle may depend on views and understanding) underscored that data are valuable and frequent targets. Additionally, reports of identity theft and other forms of fraud resulting from stolen data are also the subjects of frequent stories. The underlying issue always comes down to being able to obtain an individual’s personal information and then put that information to bad use.
When it comes to desired personal information, it would seem that information about a newborn or another individual who does not have any history could present a blank slate for individuals with bad intent. Additionally, a newborn will not monitor fraudulent accounts or other activity occurring in their name. For example, a child may not discover that their identity had been stolen until applying for a driver’s license or credit card, which are activities that will not occur for a significant period of time depending upon the child’s age. The Federal Trade Commission has information devoted solely to the issue of child identity theft, which appears to be a direct response to the growing number of threats. Among the basic steps suggested by the FTC for protecting a child’s personal information are to store all information in a safe location and limit where any personal information may be posted.
With all of those considerations in mind, there is one surprising practice that occurs right when an individual is born: online “nursery” photos. Newborn photographs, along with personal identifying information, are posted online by hospitals and/or third party services suggested by the hospital. In some instances, the photos are not behind any form of security at all. The photos are often accompanied by information such as the baby’s name, the name of the baby’s parents, the baby’s date of birth, the baby’s length and weight measurements, and potentially other information. As a security researcher that I know who tipped me off to these practices stated, why would any hospital knowingly (even with the parents’ consent) publish such personal information on the internet? That is a good question and one worth exploring since there are a lot of issues raised by the posting of newborn photographs online.
As with any disclosure of personal information in a healthcare setting, the first question will be whether the disclosure runs contrary to HIPAA. Much like the expected question, the answer is also expected: it depends. Different factual scenarios will result in different analyses under HIPAA. The analysis and path taken will be influenced by who takes the photographs (hospital, vendor of hospital, or someone hired by the parents), how personal information is transmitted to the photographer, what agreements are in place between the parties, and a number of other factors.
HIPAA is most likely to be directly implicated in the event the hospital itself takes the photographs or a third party photographer is hired by the hospital to take the pictures. Leaving aside who takes the photographs for the moment, an authorization would be highly suggested. The authorization should clearly state what photographs would be taken, what information would be used, where the photographs and information would be posted, and how all of it would be utilized. If there is an agreement between the hospital and a third party photographer, that relationship would likely be disclosed in the authorization. If the hospital wants to use the photographs for any purpose other than making it available to the parents, those additional uses should be spelled out. The ultimate goal should be ensuring that the parents are aware of what will happen to the information.
Additionally, if a third party will take the photographs for the hospital, then there should be a written agreement in place between the hospital and that third party. Additionally, since protected health information will be disclosed, the third party is a business associate and a business associate agreement must be in place.
The analysis becomes more nuanced if the relationship between the hospital and the third party is more informal. What happens if the hospital just knows of a photographer and makes that individual’s services available to new parents? If no formal relationship exists, then the photographer may not be a business associate. However, the hospital should not disclose protected health information to a random party unless it is permitted by HIPAA and/or the impacted individual. This scenario should be expected to come back to obtaining an authorization from the parents before doing anything.
A final consideration is what to do if the parents want to bring a photographer in. In that instance, the hospital will not have a relationship with the photographer and the parents will be determining what information is shared. However, the hospital still has an obligation under HIPAA to protect the privacy of other patients. In such a scenario, does the hospital have a generalized policy covering the taking of photographers, can pictures only be taken in certain areas, or are other protections in place? It should not be an easy process for anyone to come in and start taking pictures. As is clear, the situation is tricky and information should not be disclosed without a lot of advance analysis and preparation.
Regardless of how the information and/or the photographs are used or distributed, the issue of privacy and security has not been addressed yet. Except for clear, unequivocal authorizations to use photographs for marketing or other outwardly facing public purposes, it would make sense that the photographs and information should be secure. If HIPAA applies, the security rule will govern how the information is stored, which very definitively states what needs to be put into place. Yet, a quick Google search reveals a much different reality. Many hospitals have baby pictures along with varying amounts of personal information about both the baby and the parents available without any security whatsoever just by hovering a cursor over the picture. Paraphrasing my security researcher contact again, publishing information like this about a baby, even with the parents’ consent, jeopardizes the identity of the baby from the outset of life, which is contrary to best practices suggested by the FBI.
Sites that ostensibly have security are not much better. Some level of protection may be attempted, but it is easily circumvented. The “password” or access code may be easily spoofed or made up. In this instance, there may be some false comfort that only authorized people can get to the photographs and information, but anyone who takes a second or two can also get in. Poor security is arguably worse than no security because it can create a false sense that risks are being addressed.
The apparent prevalence of widely available information about newborns was and is surprising. Having a new child is a joyous occasion. It should not be a time when that new child is potentially being set up for identity theft. The security researcher suggested that all such online baby photograph sites be stopped and the data held securely. It is hard to argue against this premise. While the photographs in and of themselves may not be a bad idea, it is when the photographs are coupled with other personal information and no or lackadaisical effort is taken to secure the information.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.