When Private Parts Create a Privacy Problem

March 10, 2021

Before and after pictures are extremely important for aesthetic practices, but what happens when things go wrong? Tune in as Michael and Brad share a dumpster fire story in which one practice found multiple ways to violate their patient’s privacy.

Listen to the full episode using the player below, or by visiting one of the links below. Below is the episode’s transcript which has been edited for readability. If you have any questions or would like to learn more, email us at info@byrdadatto.com


Warning: the following episode might contain language explicit for younger audiences

Intro: [00:00:00] Welcome to Legal 123s with ByrdAdatto legal issues simplified through real client stories and real world experiences creating simplicity in three, two, one.

Brad: Welcome back to another episode of Legal 123s with ByrdAdatto. I’m your host Brad Adatto with my cohost Michael Byrd.

Michael: Thanks Brad. As a business and healthcare law firm, we have some amazing dumpster fire stories and as a reminder, a dumpster fire essentially means a mismanaged situation, that results in utter disaster. This season, we’ve covered a ton of dumpster fires, but today’s story is a double whammy. A client that on the same rules figured out multiple ways to violate state and federal laws.

Brad: Yeah. And this episode is going to be a little bit different than last week’s episode, where we had an undercover police officer, Rob Griffin, coming in and talk about different laws. But you know, when I was preparing for today’s episode, for some reason, Michael, I could not stop [00:01:00] thinking about the website, Cameo.

Michael: Oh, yes. That’s one of the few bright spots of 2020, both you and I, at some point discovered the genius of cameo and have sent multiple of these throughout 2020. So for those that don’t know Cameo is a website, they also have an app, which has thousands of celebrities who you can hire to send video birthday greetings or messages to your friends and family. I think actually, Brad, that you’re the one has truly become obsessed with it. You’ve sent so many to your friends, including getting Drew Bree’s to send your dad a happy birthday.

Brad: Damn right.

Michael: But what does this have to do with today’s episode?

Brad: Well, Cameo is another way in which we connect with their friends and families. And as you’re explaining, having these videos of your favorite celebrities or athletes come along and it’s another way in which you can have this [00:02:00] strong connection. And in this case, it’s a video and image, and people tend to process visual images a little bit easier.

Michael: Oh, the old adage, a picture’s worth a thousand words, I guess, exponentially because you add video element to it.

Brad: Yeah, that’s exactly right. With Cameo, you’re forming this connection with this celebrity, but now you’re going to get this personal greeting from them. So it’s even more personal connection.

Michael: So again, what does this have to do with today’s episode?

Brad: Okay, fair enough. We work with a ton of healthcare clients in the aesthetic and cosmetic industry. Their websites, their offices are covered in their artwork, which is often referred to in the industry as before and after pictures. So your potential patients, who may be deciding something, they might be going onto your website and looking at these pictures and our videos. And thus forming a personal connection with these medical providers.

Michael: I got it. The before and after pictures [00:03:00] are extremely important for an aesthetic practice to showcase their skills, like Cameo, using pictures and videos to develop this additional connection. Which, Brad, leads us to today’s dumpster fire story.

Brad: It does. So Michael, in this story, we have the same medical practice, as you mentioned in the very beginning, with two different stories surrounding their before and after pictures. The first story starts off and isn’t enough. A patient of a plastic surgeon had a breast reduction surgery. The results of the surgery was amazing. She was so happy that when she saw the results, she said, you’re more than welcome to use my before and after pictures on the website.

Michael: Wow, Brad you’ve grown up so much. I know the first time we gave this speech, I think a thousand doctors in the room, and I’m pretty sure you used the word boobies. So way to be anatomically correct and mature [00:04:00] for our audience. For those who may not be following the aesthetic industry, these before and after pictures are usually modified or cropped just to show the area of the surgery. So it makes it impossible to know, typically, who the actual patient was.

Brad: Right. Good point. Thank you, Michael. And thanks for reminding me. In this case, the website, as you said, showed all your before and after shots of her breast, and so not her face or other distinguishable features could be seen.

Michael: Okay, so what went wrong?

Brad: You’re right, this is our season all about dumpster fires. Well, unfortunately for the patient, when the doctor’s office posted the before and after pictures, they forgot to scrub the metadata.

Michael: Whoa, that sounds bad. Well, let’s have our first vocabulary word of the day and I’m not an IT guy, but we can kind of generalize and talk about, you know, what is metadata? And this is basically all the information that’s embedded in a file. It provides [00:05:00] the information behind the picture. So for example, the author, the date created, the date modified, and file size are all kind of part the metadata.

Brad: Correct. And so in this case with the metadata, when they were getting this picture, or in this case it’s called a JPEG file, the patient’s last name was associated with that JPEG file. So fast forward to sometime later, her cousin was Googling her name for some reason. And all of a sudden this patient’s before and after pictures up here, basically letting the whole world see her private parts that the doctor was supposed to keep private. And the patient was obviously clearly upset and called the doctor’s office, who immediately took the pictures off their website.

Michael: But the story does not end there.

Brad: Unfortunately it does not. As many of you know, once Google captures an image, a video, or wherever it is, it never goes away. So even on the doctor’s [00:06:00] website, no longer had the before and after pictures, the internet still had the patients before and after pictures. And not only that, the pictures still had her name associated with them.

Michael: So you Google her name, and boom there are the images.

Brad: Yep. That’s what you see.

Michael: That’s horrible. Well, let’s move on to the second story. Same practice as before, as we continue the overall dumpster fire. The second story is not as bad, but still adds to the flame.

Brad: It does. And so same medical practice. And in this practice, in their waiting rooms, their hallways, and exam rooms, his practice has TVs. And these TVs typically will have before and after pictures on a loop, basically showing off the medical practice’s artwork.

Michael: Standard for the industry.

Brad: Right. So in this second story, same practice. We had a patient just sitting in the waiting room, waiting to see her physician. And all of a sudden her before and after pictures of her [00:07:00] breasts enhancement appear on the TV monitor, and much like the website pictures in our first story, it was cropped. So you couldn’t see her face, but she had a tattoo. So when she saw the picture, she knew those were her breasts.

Michael: Who are you? Your mom’s going to be listening to this episode, right?

Brad: Yes.

Michael: Okay. So what was the problems?

Brad: So here’s the problem: she never gave the practice permission to use those before and after pictures. And so obviously she felt very violated that anyone sitting in the waiting room could see her breasts. So basically, anyone who knew that she had that unique tattoo would know that that’s her picture if they happened to be in the waiting room. So when she went in, she complained to the office and they initially told her that they did not need her permission, as it was not published on the internet, it was only on the “internal video”, Michael air quotes, and therefore it was not publicly used. It was only privately used in their office. [00:08:00]

Michael: Private user, private parts, the waiting rooms, hallways, exam rooms. They’re not public, right?

Brad: Yeah. That’s not the advice we gave them. We recommended that they take down her before and after pictures. We also learned during this conversation that she was not the only patient that they had done this. That practice had been using a lot of these before and after pictures on these “internal advertising loops” and then never thought they needed permission.

Michael: Wow. What a story. We’re going to go into commercial now, Brad. And on the other side, we will spend some additional time discussing what happened to the practice, and what rules the practice must understand from a legal perspective and compliance perspective from today’s dumpster fire.

Access+: Many business owners use legal counsel as a last resort rather than as a proactive tool that can further their success. Why? For most it’s the fear of unknown legal costs. ByrdAdatto’s Access+ program makes it possible for you to get the ongoing legal assistance you need for one predictable monthly fee that gives you unlimited phone and email access to the legal team so you can receive feedback on legal concerns as they arise. Access+ a smarter, simpler way to access legal services. Find out more. Visit byrdadatto.com today.

Brad: Welcome back to Legal 123s with ByrdAdatto. I’m your host, Brad Adatto, with my cohost Michael Bird. Now, Michael, we just finished capping off how one practice found multiple ways to violate their patients’ privacy, and in the grand fashion of showing off their private parts to the whole world. Can you help our audience understand— what are some of the rules that they most likely violated?

Michael: Well, kind of the grandfather of patient privacy in healthcare, obviously is HIPAA. That’s what first comes to mind and probably is where we should always start.

Brad: Absolutely. And I think we just hit our second vocabulary word. [00:10:00] I think a lot of people hear the term HIPAA, but have no idea what it actually stands for. So for those who really want to know what the Health Insurance Portability and Accountability Act is, this is a federal law that establishes the minimum federal standards for protecting the privacy of protected health information, otherwise known in the industry as P.H.I.

Michael: Right. And HIPAA is the standard for controlling how patient health information is used or disclosed. A primary goal is to ensure that individual’s health information remains confidential, but still allows for the flow of health information necessary to provide and promote high quality healthcare and to protect the public’s health and wellbeing. And I’ll just add, if you really try to distill it down, you can kind of break HIPAA into two big pieces. One is a body of rules that deal with the security about how you maintain the information and then others that deal with [00:11:00] the privacy side— what are your policies that are minimum policies required to maintain that data?

Brad: You know, Michael, we then often hear, from our aesthetic or cosmetic clients, well, HIPAA doesn’t apply to them. What is your answer?

Michael: Well, they’re right and wrong at the same time. So the common question worded from our client’s perspective is that they hear that we don’t take insurance, so HIPAA doesn’t apply. And, technically, HIPAA only applies to medical providers who are, getting technical for a minute, transmitting health information electronically in connection with certain cover transactions. So, translation, generally if you’re a cash based business, the HIPAA laws may not apply to your business. It actually is a little bit more technical than that. But as a general rule of thumb, [00:12:00] a cash based business is not going to be subject to HIPAA.

Brad: Right. Because they’re never submitting anything to a third party. So those who are a pure cash medical business, they can stop listening now, Michael?

Michael: No. And Brad, we’ve talked about this. We don’t encourage our audience to stop listening. We’re trying to get more people to listen.

Brad: That’s right.

Michael: That’s okay. So although federal HIPAA would not apply, almost every state has their own version of a state- level HIPAA. We call it baby HIPAA laws. California and Texas jump to mind, and they jump to mind because they actually have some stricter rules than the federal law. But every state has some form of patient privacy protection, and many of them are payer indifferent. In other words, cash is still something that is subject to that state law. And so you have to comply with these state privacy laws. And [00:13:00] just to add to that, there is a state’s right to privacy in every state in the United States. And so it gets super complicated when you start trying to mix. You have this federal law that governs things, and then you have your state laws that govern things, and then you have common law. That’s like, your right to privacy and they do kind of all mix together. And what makes it kind of confusing, and I know you’ve heard this before Brad, as they say HIPAA preempts a private right of action.

Brad: Meaning for those not following, is that the federal rules have control over state rules.

Michael: So what you’ll hear is yes, you have a HIPAA violation, but you as a patient have no right to sue under HIPAA. And the plaintiff’s lawyers have been spending some time over the years trying [00:14:00] to work around that.

Brad: Right. So that’s a perfect example of, hey, well, if I did violate HIPAA, the only person that can then have force, it sounds like, is the federal government or in some cases the state government. But you, the individual citizen, have no right to enforce the HIPAA breach.

Michael: So take our example from today’s dumpster fire. This patient had her breasts on the internet and was not feeling too good about it. And she, as we know, and we’ll talk a little bit more about, wanted to come individually after our practice because of her rights being violated. You’re kind of navigating a very narrow slope, but you’re basically saying there’s a patient privacy breach. And what we have found is the [00:15:00] defenses say, no this is a HIPAA, only the government can come after you. And generally speaking, patients have been successful in getting after the practices and getting around that. And what’s become interesting is that now many courts are starting to use HIPAA as the standard of care.

Brad: That’s right.

Michael: But basically what they’re saying is that the state, the judge or the jury is looking at the behavior of the practice’s patient saying, hey, you violated my privacy. And they’re saying, well, how do we gauge, whether you did or didn’t do what you should have done. And they’re actually looking to the HIPAA standards to gauge that.

Brad: That’s right. And I think you were talking about within our first story, we had a breach. And so in this first story they were unable to get any of those images off the internet. Our client, in this particular case, it was not a [00:16:00] HIPAA breach, but as you said earlier, it did violate this person’s privacy, and they ended up settling out of court by paying the patient a very large sum of money.

Michael: And did our client come out of pocket on this?

Brad: The funny thing is, in this case, not really because this client had something that was actually never used before by this entire practice, but they had some type of privacy insurance or sometimes in the industry called HIPAA insurance. And luckily with this insurance, it ended up having it allowed to pay for the settlement amount. But as a reminder, this is a patient who, up until the moment in time that her name was associated with her breast pictures on the internet, loved him, and now she’s super mad at him. And so now this physician had to spend a lot of time working through getting this settled, a lot of time and energy away from his actual practice. And this is all because this doctor putting together the processes didn’t make sure it’s metadata was scrubbed before it was actually [00:17:00] posted and, therefore, exposed himself, his practice and, unfortunately, his patient.

Michael: Yeah. I mean, we’ve had so many episodes talking about policies and procedures and how they can help protect you in so many different areas. And in this particular area, most treating medical providers allow their staff to post their information. They’re taking on a business risk by doing that. It makes sense their highest and best use of their time is in the operating room, but they’re taking a risk the minute they delegate that task because it’s on them if there’s a problem and they don’t spend the time or energy developing these proper policies and procedures to make sure when they’re posting that for example, the metadata is scrubbed in whatever their process is.

Brad: Yeah and it’s important that you just said, it’s not only the process and the policy, but then also making sure they actually train the staff to follow these policies.

Michael: Yeah. The piece of paper that [00:18:00] says you have a policy, doesn’t do much good unless you breathe some life into it.

Brad: Someone listening to this podcast, who’s listened to every episode may have heard us say form and substance.

Michael: Yes. So what happened in the second breach?

Brad: So second breach, it wasn’t nearly as bad. This one did not have a big, giant payday for this particular patient. She was eventually the treating physician gave her some free injections to kind of appease her and that was really it. And in reality they dodged a much, much bigger bullet because as we mentioned earlier in this process, they did not have the proper consents from their patients who they were posting all these before and after pictures. And again, luckily once we figured all this out, they took down all these before and after pictures and on that loop that they did not have those proper consents.

Michael: Another area that we see as a common mistake is kind of in the broader policies and procedures bucket is getting consents and [00:19:00] here they misconceived that quote internal use of those photos wasn’t something they needed to have consent for, but we see a full range of problems in how people use consents. And the root of it is where do they get those consents, Brad?

Brad: The internet?

Michael: Yes or their friends or a friend of a friend.

Brad: Or they got it from somebody who just does it for patient consents in general, and then never really understood what does a good before and after picture a consent address.

Michael: Yeah and they have to have the appropriate level of disclosures on how you plan to use the pictures. Are you planning to use it for social media, website education, research on your internal TVs? And you want to make sure the consent covered the people to who you’re going to have using it. So, example, we commonly see the practice gets a consent to use the before and after pictures and then the [00:20:00] doctor goes and posts it on his or her social media account. Well, that’s technically a HIPAA breach because they didn’t consent that individual provider to use the before and after pictures on their personal social media.

Brad: Yeah and we’ve talked about this before, that when it comes to that there’s two major areas in which when it comes to your before and after pictures that every single practice and providers should be thinking about, number one is who owns the rights to those. Meaning that those before and after picture typically are confidential patient information that is actually owned by the practice consistent system, the medical records. And so a lot of times it’s in the employment agreements with those medical providers. But secondly, to your point, Michael, the patient’s still ultimately has a rights to those pictures and has to consent that they allow them to use it both on the medical practices website and on the [00:21:00] social media one. So, Michael, so it’s not just the social media that they’re using. It’s the fact that they’re using it on their personal website and on the practice website, if the patient didn’t consent to that, as you said that is a privacy breach.

Michael: Yep. All great. And any additional recommendations you have for the audience on kind of this whole topic?

Brad: Yeah. And this may sound like we’re getting a little repetitive sometimes, but a crucial element really is establishing a compliance plan as we talked about and conducting a risk assessment, is that very first step. Now, these assessments help identify where are these privacy threats or more importantly, the holes in your actual system before the assessment can be done. Once you do this, you can start putting in place the plans, the policy themselves to safeguards needed. And obviously what you’re trying to do is mitigate the risk of these privacy breaches.

These risk assessments can also help with business, making determinations on how to properly balance the patient’s [00:22:00] privacy and then the risk of a patient data breach. For example, where’s your patient data stored? How can it be accessed? Who can access it? Is that data ever mobile? So in your files, in a laptop or on your iPad, is the data itself encrypted once you publish it, how are you publishing it via pictures or videos and articles? And then when necessary, did you remove the protected health information? This risk assessment will and obviously depending on your size and scope of your team can vary, but these are the important things that any practice that is touching patient information, especially when you’re using it for posting, that you want to go through at least a very minimum risk assessment. So, Michael, what are some of your final thoughts?

Michael: The idea of patient privacy is as we talked about much more complicated than it at first seems. And what we [00:23:00] see is that our clients typically don’t have a full understanding, a full picture. It’s almost like they’re looking at compliance through a telescope and they can only see what they know and what they see. And so they hear the word HIPAA and they think that’s it. And then they think, okay, well, we don’t take insurance, so we’re good. And they stopped there and there’s all sorts of issues. Or as in our story, this is internal so we’re just going to roll with it. And you know, we talk about this all the time the world is changing as it relates to the provider side of healthcare, since healthcare reform in 2009, we’ve seen more and more emphasis on laws that may have been around even longer than 2009 being focused on the provider side. And so this new world that we’ve been living in for the last 10 years or so [00:24:00] Is a culture of compliance and so what we recommend is don’t get stuck with the little tidbits of information you get from friends or from others, and look at it more holistically. And patient privacy is a huge one. You don’t have to go far to read all the stuff about cyber-attacks and cyber security and all of that directly impacts patient privacy. And so we started this episode talking about Cameo being one of the bright spots of 2020. Well, if you can kind of embrace compliance and know that there are some great benefits to having your before and after pictures up for example, what the proper procedures and consents, then you can have a cameo like connection with your patients. If you don’t do that, you may [00:25:00] have a, the rest of 2020 type of connection with your patients.

Brad: The dumpster fire. All right. Well, perfect. Don’t forget. Next week, we’ll be releasing episode 11 of season three that will be on Wednesday. This episode will be a dumpster fire story, Michael on how to blow your medical practice.

Outro: Thanks again for joining us today and remember, if you liked this episode, please subscribe, make sure to give us a five star rating and share with your friends. You can also sign up for the ByrdAdatto newsletter by going to our website at www.byrdadatto.com.

ByrdAdatto is providing this podcast as a public service. This podcast is for educational purposes only. This podcast does not constitute legal advice, nor does it establish an attorney, client relationship. Reference to any specific person or entity does not constitute an endorsement or recommendation by ByrdAdatto. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Please consult with an attorney on your legal [00:26:00] issues.

ByrdAdatto Founding Partner Bradford E. Adatto

Bradford E. Adatto

Brad decided to become a lawyer during sixth-grade Career Day, when he promised to represent his best friend, a future doctor. A few decades later, he started his own law firm that focused on representing health care and corporate clients.