Fired Because Photo of Surgery Room Was a HIPAA Violation

By Rebecca Herold

Last updated: March 28, 2020

Doctors performing a surgery

I received a very interesting question, and I am sharing it and my response here because it is a great HIPAA topic to discuss that I have not seen written about very often before, except for several articles I’ve written over the past couple of decades. I’ve removed the identifying information, and modified the situation details enough so that this cannot be tied to the actual situation.

With the preponderance of people now taking photos and videos with their phones as part of their standard daily activities, the number of situations where healthcare workers are capturing images and posting on their Instagram, Facebook and other social media sites is dramatically increasing. This opens up the healthcare providers, healthcare insurers, and healthcare clearinghouses (collectively referenced in HIPAA as “covered entities”), and the vendors that do work for them (“business associates” and their subcontractors) to fines and penalties under the HIPAA Privacy Rule, as well as to business-damaging bad publicity, and a wide variety of civil suits. Not to mention the harm such posts could do to the people in those images

Here is the question:

“I have a situation recently regarding a Hippa violation.

In a recent office-based surgery situation, a photo was taken of the Operating room after the Patient was discharged. The photo was then posted to a popular social networking site with caption reading “what a long day of surgery doing [redacted details; none of which were personal information items] for [ ] hours."

The photo did not have any individual in it. It did not have any items or information or any PHI of any kind that could be viewed. Just the operating room bed, drapes, equipment, etc. Comments were made on the social networking site regarding the photo. However, absolutely no PHI was posted at any time on the site in any way in relation to the posted picture.

The photo on the Internet was reported to the Physician. The employee who posted the photo was asked to take couple of days off after being told that the Hippa act was violated and that the practicing physician was at risk of losing his license, as well as the employee. The employee then left the place of employment and has not been contacted with any further instructions or a chance to make a defense.

What are your thoughts about this? Thank you!”

Here is my reply, again with personal references removed:

“Thanks for your message.

Compulsory disclaimer: None of the information within this message is intended to be legal advice. This is strictly my opinion of the interpretation of HIPAA based upon my practical experience and research.

You mentioned that no PHI was given, but also that it was a photo of where a patient was at in a surgery room that was posted to Facebook.

Photos with a patient in them are considered to be protected health information (PHI). In fact, there are 18 specified items within the Health Insurance Portability and Accountability Act (HIPAA). “Full face photographic images (and any comparable images)” is on this list, as is “Other unique identifiers that can be attributed to a specific individual.” But the photo was just of the room, and there was nothing visible in the room to link to the specific individual patient?

If you are going by these facts and that there was absolutely nothing in the photo that could be tied to the patient, then looking strictly at the HIPAA regulations text, the situation you describe does not sound like a HIPAA violation.

However, another HIPAA requirement is that covered entities (which include healthcare providers), must establish and implement information security and privacy policies, communicate them to personnel, and enforce them. So now some questions to ask are…

It is possible that, if such policies exist and were created specifically for HIPAA compliance, your organization is viewing this policy noncompliance as being a HIPAA infraction because of the HIPAA requirements to have security and privacy policies and enforce them. However, with such policies, training and communications in place, the policy infraction itself is generally grounds for disciplinary actions, possibly including termination.”