HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury

An investigation has been conducted into a privacy violation at the University of Pittsburgh Medical Center’s Bedford Memorial hospital, in which photographs and videos of a patient’s genitals were taken by hospital staff and in some cases, were shared with other individuals including non-hospital staff. The patient was admitted to the hospital in late December 2017, with photos/videos shared over the following few weeks.

The patient was admitted to the hospital on December 23, 2016 with a genital injury – a foreign object had been inserted into the patient’s penis and was protruding from the end. The bizarre injury attracted a lot of attention and several staff members not involved with the treatment of the patient were called into the operating room to view the injury. Multiple staff members took photographs and videos of the patient’s genitals while the patient was sedated and unconscious.

The privacy breach was reported by one hospital employee who alleged images/videos were being shared with other staff members not involved in the treatment of the patient. The complaint was investigated by the Pennsylvania Department of Health and Human Services on May 23, 2017.

While HIPAA violations appear to have occurred, the investigation only confirmed violations of the Social Security Act had occurred. According to the published report of the investigation, multiple areas of non-compliance with the Social Security Act – 42 CFR, Title 42, Part 482-Conditions of Participation for Hospitals were discovered: 482.13 – Patient rights; 482.22(c) Medical Staff Bylaws; 482.42 Infection Control; and 482.51 Surgical Services.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to a statement obtained from a member of staff who was interviewed, a request was made for photographs to be taken of the patient’s injury for use in future medical lectures. That individual said, “We have a camera in the OR for that purpose, but it was reportedly broken and so personal phones were used. Initially, we thought there was only one picture taken but later we learned of others. We also had the camera checked out, it is working, it is just too complicated to use.”

One physician said, “At one point when I looked up, there were so many people it looked like a cheerleader type pyramid.”

The story was originally reported on Pennlive, which received an emailed statement from UPMC saying, “The behavior reported in this case is abhorrent and violates the mission of UPMC Bedford and the overall values of UPMC. Upon discovery, UPMC quickly self-reported the incident to the Pennsylvania Department of Health and took appropriate disciplinary action with the individuals involved.”

Those actions included suspensions and firings of staff who were discovered to have violated the patient’s privacy. The patient, who was not identified, has also been informed of the privacy breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.