Why a hospital shouldn’t put baby photos online
Privacy and security of personal information are topics of constant discussion inside and outside of healthcare. Current events keep the heat on, as one or the other never strays very far from headlines.
The Facebook breach—or perhaps it could be considered the expected use of data, with the angle depending on one’s views and understanding—underscored that data are valuable and frequent targets. Additionally, reports of identity theft and other forms of fraud resulting from stolen data are also the subjects of frequent stories. The underlying issue always comes down to being able to obtain an individual’s personal information and then put that information to bad use.
When it comes to desired personal information, it would seem that information about a newborn or another individual who does not have any history could present a blank slate for individuals with bad intent. Additionally, a newborn will not monitor fraudulent accounts or other activity occurring in their name. For example, children may not discover that their identities had been stolen until applying for a driver’s license or credit card, which are activities that will not occur for a significant period of time.
The Federal Trade Commission has information devoted solely to the issue of child identity theft, which appears to be a direct response to the growing number of threats. Among the basic steps suggested by the FTC for protecting a child’s personal information are to store all information in a safe location and limit where any personal information may be posted.
With all of those considerations in mind, there is one surprising practice that occurs right when an individual is born—online “nursery” photos. Newborn photographs, along with personal identifying information, are posted online by hospitals or third-party services suggested by the hospital. In some instances, the photos are not behind any form of security at all. The photos are often accompanied by information such as the baby’s name, the name of the baby’s parents, the baby’s date of birth, the baby’s length and weight measurements, and potentially other information.
A security researcher who tipped me off to these practices wondered why any hospital would knowingly—even with the parents’ consent—publish such personal information on the internet. That is a good question and one worth exploring, because there are a lot of issues raised by the posting of newborn photographs online.
As with any disclosure of personal information in a healthcare setting, the first question will be whether the disclosure runs contrary to HIPAA. Much like the expected question, the answer is also expected—it depends. Different factual scenarios will result in different analyses under HIPAA. The analysis and path taken will be influenced by who takes the photographs (hospital, vendor of hospital or someone hired by the parents); how personal information is transmitted to the photographer; what agreements are in place between the parties; and a number of other factors.
HIPAA is most likely to be directly implicated in the event the hospital itself takes the photographs or a third-party photographer is hired by the hospital to take the pictures. Leaving aside who takes the photographs for the moment, hospitals would be wise to seek authorization from the parents. The authorization should clearly state what photographs would be taken, what information would be used, where the photographs and information would be posted, and how all of it would be utilized.
If there is an agreement between the hospital and a third-party photographer, that relationship would likely be disclosed in the authorization. If the hospital wants to use the photographs for any purpose other than making it available to the parents, those additional uses should be spelled out. The ultimate goal should be ensuring that the parents are aware of what will happen to the information.
Additionally, if a third party takes the photographs for the hospital, then there should be a written agreement in place between the hospital and that third party. Additionally, because protected health information will be disclosed, the third party is a business associate, and a business associate agreement must be in place.
The analysis becomes more nuanced if the relationship between the hospital and the third party is more informal. What happens if the hospital just knows of a photographer and makes that individual’s services available to new parents? If no formal relationship exists, then the photographer may not be a business associate. However, the hospital should not disclose protected health information to a random party unless it is permitted by HIPAA or the impacted individual. This probably circles back to obtaining an authorization from the parents before doing anything.
A final consideration is what to do if the parents want to use their own photographer. In that instance, the hospital will not have a relationship with the photographer, and the parents will be determining what information is shared. However, the hospital still has an obligation under HIPAA to protect the privacy of other patients. In such a scenario, does the hospital have a generalized policy covering the taking of photographs; can pictures be taken only in certain areas, or are other protections in place? It should not be an easy process for anyone to come in and start taking pictures. As is clear, the situation is tricky and information should not be disclosed without a lot of advance analysis and preparation.
Regardless of how the information or the photographs are used or distributed, the issue of privacy and security has not been addressed yet. Except for clear, unequivocal authorizations to use photographs for marketing or other outwardly facing public purposes, it would make sense that the photographs and information should be secure. If HIPAA applies, the security rule will govern how the information is stored, which very definitively states what needs to be put into place.
However, many hospitals have baby pictures—along with varying amounts of personal information about both the baby and the parents—available without any security whatsoever, much of it readily accessed just by hovering a cursor over a picture. Paraphrasing my security researcher contact again, publishing information like this about a baby, even with the parents’ consent, jeopardizes the identity of the baby from the outset of life, which is contrary to best practices suggested by the FBI.
Sites that ostensibly have security are not much better. Some level of protection may be attempted, but it is easily circumvented. The “password” or access code may be easily spoofed or made up. In this instance, there may be some false comfort that only authorized people can get to the photographs and information, but anyone who takes a second or two can also get in. Poor security is arguably worse than no security because it can create a false sense that risks are being addressed.
The apparent prevalence of widely available information about newborns was and is surprising. Having a new child is a joyous occasion. It should not be a time when that new child is potentially being set up for identity theft. The security researcher suggested that all such online baby photograph sites be stopped and the data held securely. It is hard to argue against this premise. While the photographs in and of themselves may not be a bad idea, it is when the photographs are coupled with other personal information—and there’s no or lackadaisical effort to secure the information.