HIPAA, Medical Case Reports, and Unbalanced Benefit in News Reporting
On January 12, 2010, a magnitude 7.0 earthquake rocked the island country of Haiti, destroying much of the capital Port Au Prince and leading to the deaths of as many as 200,000 people. Since this time, thousands of images of the resulting carnage have been published in both traditional media and on internet sites.
Recently there has been some discussion about the appropriateness of some of these images, particularly those that depict individual humans in despair or even in death. Some have argued that such images should not be published without the express consent of the person depicted, or with the consent of the next-of-kin in cases of the dead. Media, for the most part, has held that in cases of extreme human events the benefit of publicizing the truth outweighs whatever emotional harm might come to an individual through publication of their plight. They argue that the many outweigh the few, in this case.
I have thought a great deal about this issue, both as it applies to the recent images in Haiti and to my own efforts at publication. In this thinking I have formed the idea of unbalanced benefit in news reporting. The point of news reporting is to explain to the world what is going on. Ultimately this benefits the world, but may actually be of harm to the individual being reported on, though breach of confidentiality or publicizing of personal anguish. Part of the issue is that sometimes a picture means something different to the person in the picture than it does to the stranger that views it. If the world looks at a pile of dead bodies recovered from a collapsed building in Haiti, they see the situation that has occurred, and the overall effect it has had on the people and environment. But if the mother of a dead woman in that pile of bodies sees the picture, its a whole different story. That mother doesn’t see the overall situation, she sees her daughter, and knows that the world sees her too. And so while the world may actually benefit from seeing that picture, and in turn Haiti may benefit from the attention it creates, the mother may suffer emotional distress because of it. All without her consent. Most media outlets feel that in situations like Haiti, consent is not required, if for any reason than it would be completely impractical. To some this is hypocritical, as we certainly hold media to a higher standard when filming in the United States, hence the frequent blurred faces we see in some news broadcasts when consent for filming was denied or was not available.
So what about cases where an image is “nearly” anonymous? The above example is one of these situations, where to nearly everyone in the world it is an image of random carnage, but to a select few it is an image of an individual person. Is that image truly de-identified? Does de-identified mean the same as unidentifiable?
I have been asking myself these questions a lot, as it relates to the publication of medical cases. Recently I published several images from medical cases I was involved with, and all of these images have gotten significant traffic on the blog. One in fact was immediately stolen and republished without consent or appropriate attribution on a Romanian OB/GYN blog, which I found concerning.
Before I published these images I thought a lot about whether or not it was a confidentiality issue. Clearly none of them are identifiable to the world in general, but that doesn’t mean that they weren’t identifiable to the individual in the image. That bothered me a bit, so I asked around to a lot of colleagues, who all seem to agree that de-identified images are kosher to publish. After all, pictures of interesting medical conditions are often taken in surgery, under the permission provided in most routine surgical consent forms. Some of these pictures go on to be published in medical journals, all without any additional consent process taking place. Furthermore, there are lots of websites that aggregate medical cases and publish de-identified pictures, and Google images is full of medical pictures. Sermo is full of case reports with de-identified photos, which in some ways is different since everybody looking at the pictures is a physician.
It was always my intention that Academic OB/GYN would be a blog that would be trafficked mostly by OB/GYN physicians. As the blog has developed, I have found that the traffic is far more mixed between physicians, other medical professionals, and laypeople. So does this matter? Is the implied de-identified publication right different when the audience that will look at the picture are not all doctors? From a legal point of view, the answer is no. In fact, HIPAA is pretty clear about what can be published and what cannot.
HIPAA specifies 18 elements that cannot be published without express patient consent:
1. Names;
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
4. Phone numbers;
5. Fax numbers;
6. Electronic mail addresses;
7. Social Security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11. Certificate/license numbers;
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Universal Resource Locators (URLs);
15. Internet Protocol (IP) address numbers;
16. Biometric identifiers, including finger and voice prints;
17. Full face photographic images and any comparable images; and
Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
As such, the publication of a de-identified medical image along with general comments about the case, whether on the internet or in print, is a HIPAA compliant activity, and therefore should be kosher. But still I am bothered by a few things. HIPAA states that you can’t publish a patient’s zip code. So does this also mean that there cannot be an implied zip code? In my case, many people know who I am and where I work, so if I publish a case there is certainly an implied zip code, which may or may not be correct. Certainly most cases I publish can be reasonably assumed to be my county or one of the adjacent counties. The same could be said for many case reports in journals, as they do list their city of origin. Does this matter? I’m not sure.
As I think about this, I realize that its not so different than the Haiti pictures. To me and to my readers, a medical image is a picture of a condition, not of a specific person. But in some cases, there is someone out there that might look at that picture and see a picture of themselves, and that bothers me. It may not be illegal or HIPAA non-compliant, but it still seems wrong without explicit consent to publish a specific image.
It really comes down to this – if I were to ask a patient if they minded if I published a particular de-identified picture of them on a educational website and they said that they did mind, would I still want to have published it? My answer is an emphatic NO. If my patient saw a picture on the web that they realized was them, I would want them to feel happy that they are helping to educate someone, not upset that something was seen that they would have preferred be kept private, even if no one ever knew it was them. I am not comfortable with the idea of unbalanced benefit when it comes to my blog.
As such, I’ve decided to change my photo policy. As of now, I have taken down any picture that I believe an individual patient might be able to identify as a picture of themselves. Furthermore, I will seek explicit written consent to republish these images, and will do the same prior to publishing any potentially self-identifiable case images in the future. This will be a pain in the butt, but I think it is ultimately the right thing to do. I challenge other medical bloggers to meet the same standards, which I think are ultimately just and reasonable for our patients.
Academic OB/GYN 
I applaud your actions and am happy that you will publish info and photos only with the express permission of the subject. That is the honorable thing to do and I appreciate you setting this high standard. Here is hoping that others follow suit!
LikeLike
I think you’re quite right – good job for doing that! I was actually thinking about that very issue as I read your last few entries – the ones that had specific patient pictures (prolapsed fibroid, etc.) – I was wondering if the woman had given her permission for her picture to be published. As you say, no one would know that it was her – but if she saw it, she would know that it was her and would perhaps feel violated. Great thoughts, and thanks for bringing this up.
LikeLike
Thanks for the comments. I’ve always asked for verbal consent to photograph anything of interest, but things have changed a bit with the internet. In the past patients would consent to taking photographs, assuming that they would never see them. And if they were published they would be published in a medical journal, that was almost certainly true. But in the internet age, any photograph that appears in print, whether in a blog or not, is far more likely to turn up, particularly if the patient decides to google their condition. As such, a new kind of consent is in order.
That being said, I think this conversation with patients really opens up the opportunities for participatory medicine. Patients by and large are open to being a part of the educational process, as long as their rights are protected and they feel that they are getting great care.
LikeLike
A picture of my patella and tibial tuberosity (and assorted tendons and ligaments) were put in a journal 15 years ago. I found out at a follow up appointment. He was so excited about it and handed me a photocopy of the article.
I cannot believe that I forgot about it and never looked it up.
LikeLike
Link that baby up! Lets see that knee article!
LikeLike
I’m looking for it. These guys were prolific with the research! Also, MRI imagery makes ortho journals extremely cool.
This is a total trip down memory lane. I remember them using one of the patellar stress test “machines” on me 20 years ago and it looks so archaic in the pictures, like a couple of blocks and a rubber band.
LikeLike
I see a lot of things that could be classified as a cross between case reports and first person types of blogging. I have to admit feeling some degree of discomfort with some of them, due to the detail presented.
One thing that helps is when stories are not so contemporaneous, that they are events that have happened several months ago rather than just today, or just this week.
I think you have to anticipate that one way or another patients will learn about your blogging and perhaps begin to check to see what you are writing about.
LikeLike
Very interesting post. I’m a reporter. I do both print and photojournalism. In general journalists start from a very different perspective than health care providers. I couldn’t do my job if I assumed that I had to get permission from everyone I wrote about or photographed. It’s not just a practical issue. I couldn’t do my job if I assumed I had to write/shoot the kinds of stuff that every subject would consent to if I were to seek their permission. A lot of the time, my job is to reveal what the subjects would prefer to keep hidden.
It’s a matter of whose interests I’m supposed to uphold. If I were someone’s health care provider, my first duty would be to that person’s welfare, including their privacy. But that’s not how reporting works. In principle, I’m there to tell the truth as I see it. I hope I see things that my subjects would rather keep hidden.
Of course, if I’m doing my job, I’m representing the dignity of the people I’m reporting on. Because it’s always there, no matter who the subject is or what their circumstances. I mean, everyone’s a person with inherent dignity and if that doesn’t come through in my reporting, I’ve screwed up and distorted the picture.
LikeLike
Lindsay – thanks for that perspective. As a physician blogger I trod a fine line. When it comes to the general medical news I can be a reporter and editorialist. But when it comes to patient cases I can’t just be a reporter, since I have privileged information that never would have been given to me out of confidence. Clearly HIPPA protects this information, but HIPPA wasn’t written for the internet age, and there’s still a few gray areas.
LikeLike
Good for you! First of all, obtaining consent/release authorization is just the safe thing to do, because it is actually quite difficult to completely de-identify everything all the time. For example, I was just scrolling through your blog and noticed a YouTube video of an ultrasound, which had the date on it. Date of service is one of the major identifiers that people slip up on when they are trying to de-identify something. I work at an academic medical center, and we had a lot of issues with trauma surgeons taking pictures of things they find “cool” on their cell phones – yes, those photographs are technically de-identified, but like you said, to the person who has fan blade up their behind, or whatever, it is very much identifiable. So we have photography policies in place basically like your new policy. The thing with the internet, like you noted, is that there is actually a chance now that a patient could find a picture of themselves on Google Images. It’s unlikely that most patients are attending grand rounds or reading case reports and therefore are unlikely to ever find themselves the subject of a physician’s writing. But a blog is entirely different, especially since patients with rare medical conditions often search the internet for information about their condition. If you blog about that condition, it’s not too far-fetched to think they might come across it.
BTW your concern about zip codes – I wouldn’t let it keep you up at night. There is nothing in HIPAA that says “implied” identifiers are identifiers. Especially in an academic setting, it is very common for patients to travel from other areas to see a physician. I wouldn’t assume that your patients share your zip code.
LikeLike
Thanks for your reply, and for pointing out the date on the ultrasound. I will work on that. I had not noticed it and I should have thought of that
LikeLike
These sort of reports are the most beneficial data in terms of medical activities..
LikeLike
Good article to read on, and yeah even i had seen some of the post disturbing pictures of this nature’s calamity.
LikeLike
Awesome post! please keep up the great work i would love to hear more like this.
LikeLike
HIPAA-the very reason why I had several co-employees when I used to work for a California health insurance, that were terminated, they mistakenly disclosed personal information to people not authorized and as per HIPAA considered as really private. 😦
LikeLike
It’s a pity you don’t have a donate button! I’d without a doubt donate to this brilliant blog! I suppose for now i’ll settle for book-marking and adding your RSS feed to my Google account. I look forward to fresh updates and will share this website with my Facebook group. Chat soon!
LikeLike
Thanks for the vote of confidence! Feel free to donate via paypal nicholas.fogelson@academicobgyn.com
LikeLike
I think that this blog is really cool .so please visit my this site and get collection information
LikeLike