As the NY Times article and related AOL video demonstrate (links below), baby photographs are protected to the same extent as medical records, Social Security Numbers and other types of individually identifiable information. The Health Insurance Portability and Accountability Act (HIPAA) protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. This is known as “protected health information (PHI).” See 45 C.F.R. § 160.103.

Covered entities are prohibited from using or disclosing PHI unless permitted or required under HIPAA or as the individual who is the subject of the information (or their personal representative) authorizes in writing. See 45 C.F.R. § 164.502(a). Many health care providers argue that when a parent submits a photograph of their child for posting on the hospital or clinic baby board, the parent impliedly consents to the use of the baby picture for that purpose. However, as the NY Times article suggests, HIPAA does not permit implied authorization. Instead, the law requires the covered entity to obtain authorization in writing, with the authorization meeting certain minimum requirements. See 45 C.F.R. § 164.508(c).

A spokeswoman for the Office of Civil Rights of the Department of Health and Human Services (cited in the NY Times article) stated she was not aware of any medical office that had been fined over the issue.

Read the NY Times article.

Watch the video.

Written by: Jacob S. Simpson