HIPAA and Media/Marketing Activities

ETSU is delighted to participate in media and marketing activities showcasing the important work our faculty, staff, and students are doing to improve the healthcare of our region.  Media/marketing activities may include patient or provider stories, experiences, or other information about treatment and services at ETSU Health.  

Before scheduling media/marketing activities, ETSU departments must contact:

• Jonathan Roberts, Marketing and Communications Specialist, ETSU | (423) 439-4317
• Kristen Early, Director of Marketing and Communications, ETSU Health | (423) 433-6038 

The HIPAA Privacy Rule has specific requirements ETSU must comply with to use patient information for media/marketing activities. ETSU is committed to ensuring the privacy and security of our patients’ medical information.  If you have any questions, please do not hesitate to contact the ETSU HIPAA Compliance Office at hipaa@etsu.edu or (423) 439-8533.

Requirements for Media/Marketing Activities that Involve Patients or Patient Information (e.g. Provider interview about a particular patient’s care, interview with a patient, photograph of a patient etc.)
In general, media/marketing activities should not include patients or identifiable patient information.  However, if the activity necessitates use of patients or identifiable patient information, ETSU is required by law to have the involved patient complete a HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose.

• Patients whose identifiable information will be used for a media/marketing activity (e.g. Provider interview about a particular patient’s care, interview with a patient, photograph of a patient, etc.) must complete the HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose. This form documents the patient’s permission for use of their identifiable information for a media/marketing purpose.

A copy of the completed form must be stored with the work product (e.g. press release, photographs, recordings, etc.) from the media/marketing activity in a manner that can be easily located.  A copy of this form must also be placed in the patient’s electronic medical record. 

Requirements for bringing Media/Marketing Representatives to an ETSU Health ClinicIn general, media/marketing activities should not take place at a clinical facility.  However, if the activity necessitates media/marketing representatives being present at an ETSU Health clinical facility, please notify the ETSU HIPAA Compliance Office in advance and obtain approval from your department chair or other institutional authority (e.g. Dean).

• Media and marketing representatives, other than ETSU Marketing and Communications staff, who will be present in a clinical facility must complete the Media/Marketing HIPAA Confidentiality Form.

A copy of the completed form should be stored with the work product from the media/marketing activity (e.g. press release, photographs, recordings, etc.) in a manner that can be easily located.  

FREQUENTLY ASKED QUESTIONS 

• Can I just have patients sign the Model Release form? 

  No.  The HIPAA Privacy Rule spells out specific legal requirements that must be included in the form patients complete.  Patients must complete the HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose.
  

  *Patients must complete the HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose even if you are only showing the back of their head.

  A copy of the completed form must be stored with the work product (e.g. press release, photographs, recordings, etc.) from the media/marketing activity in a manner that can be easily located.  A copy of this form must also be placed in the patient’s electronic medical record.  

• What happens if I forget to have a patient complete the required form?

  If the patient fails to complete the HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose, ETSU is prohibited from using the patient’s information for a media/marketing purpose. There are substantial federal fines associated with noncompliance.  It is very important you understand and use the correct form.

• What forms are required when a provider is interviewed at an ETSU clinic about the treatment of a particular patient, which will include identifiable patient information?

  Provider must complete:

  • Model Release Form

  Patient must complete:

  • Model Release Form; and
  • HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose

  The Media/Marketing Representative, other than ETSU Marketing and Communications staff, must complete:

  • Media/Marketing HIPAA Confidentiality Form
• What if the patient is a minor?  

  A minor is a person who is under the age of 18 years old.  Minors cannot generally sign forms for themselves.  All required forms must be completed by someone who has legal authority to consent on behalf of the minor (e.g. a parent, legal custodian, etc.).
  
  

  When a media/marketing activity involves a minor patient, a person with legal authority for the patient must complete the HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose.

• What if a media/marketing activity includes a patient and their minor (e.g. infant, child, adolescent) who is also a patient?

  Patients must complete the HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose.

  
  In this scenario, you have two patients participating.  A HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose must be completed for each patient.  

• What if ETSU Marketing and Communications staff need to get in touch with a patient about a media/marketing activity?

  ETSU Marketing and Communications staff can only contact patients who have completed the HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose.

  
  You will notice on the form there is a space for the patient to place their telephone number.  Once the form is completed, the form can be provided to ETSU Marketing and Communications staff to thereafter contact the patient for the purposes of participating in the media/marketing activity.

• What forms are required when a provider is interviewed inside an ETSU clinic, about the services they provide to patients generally (no identifiable patient information)?

  Provider must complete:

  • Model Release Form

  The Media/Marketing Representative, other than ETSU Marketing and Communications staff, must complete:

  • Media/Marketing HIPAA Confidentiality Form

  *You will notice there are no forms for patients to complete in this scenario.  When a provider will talk about general information, and no patients are identified, patient privacy is not implicated.

• What about media/marketing activities involving ETSU at external sites?  

  If ETSU is engaging with patients at an external clinical site (e.g. RAM, Healing Hands, Health Fairs, etc.), the same rules apply.  Patients must complete the HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose.

  When working with an external site, a copy of the completed form must be stored with the work product (e.g. press release, photographs, recordings, etc.) from the media/marketing activity in a manner that can be easily located.  We do not need to store a copy in the external site’s medical record.  If an external site requests copies of the forms for their medical records we should provide them.  

  The external site may have additional rules and forms.  You must follow external processes and procedures in addition to ETSU’s requirements. 

• What forms are required for media/marketing activities where individuals are pretending to be patients?

  The ETSU Health system serves patients in multiple specialties.   A person who volunteers to pretend to be a patient for a media/marketing activity may actually be a patient at one of our many practices. For this reason, all patients or individuals pretending to be patients must complete the HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose.

• Are there any special requirements for clinics that treat substance use disorder, HIV, psychiatric health, etc.?

  In some instances, sensitive diagnoses are subject to additional laws and restrictions.

  Media/marketing activities that will take place at ETSU Health clinical facilities that involve sensitive diagnoses and will involve patients (real or pretend) require special approval and forms from the ETSU HIPAA Compliance Office.

  Contact the ETSU HIPAA Compliance Office at hipaa@etsu.edu or (423) 439-8533.  Please allow 10 days for approval.

• What is identifiable patient information?

  If the health information used or disclosed in relation to a media/marketing activity includes the below identifiers in relation to a patient or the patient’s relatives, employers, or household members, it may be considered identifiable and subject to HIPAA:

  
  1. Names
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:

  
  A. The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
  B. The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000

  
  3. All elements of dates (except year) for dates that are directly related to a patient, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) addresses
  16. Biometric identifiers, including finger and voice prints
  17. Full-face photographs and any comparable images
  18. Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of 45 CFR 164.514 - Other requirements relating to uses and disclosures of protected health information.

  When all 18 identifiers are removed and you have no actual knowledge the information could be used to identify the patient that is the subject of the information, the remaining information/data may be considered de-identified.

  *Remember, if the media/marketing activity involves a patient or identifiable patient information, patients must complete the HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose.

• What do we do with these completed forms?

  ETSU Marketing and Communications staff should store the completed Model Release Form, the completed HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose, and the Media/Marketing HIPAA Confidentiality Form with the work product (e.g. press release, photographs, recordings, etc.) from the media/marketing activity in a manner that can be easily located.

  *Remember the HIPAA Authorization to Use and/or Disclose Protected Health Information for a Media/Marketing Purpose must also be provided to the involved clinical facility so that it can be added to the patient’s electronic medical record.  If you forget how to store the forms, the bottom of the forms provide instruction.