Why New Camera Technologies Present a Challenge for Health Care Facilities
The ease and popularity of uploading and viewing photos online has fostered an environment in which protection of individual privacy is hardly given a second thought, and it is rare that someone questions whether it is acceptable to post a photo for the online world to see. However, health care facilities and providers must guard against online posting of photos of patients, particularly where those photos depict patients inside a health care facility or receiving treatment. Photos such as these could constitute an invasion of patient privacy, and could even be protected health information (PHI) under HIPAA. Given the strict regulatory environment under which health care organizations operate, it is vital that written policies regarding the use of all types of cameras — but especially cell phone and PDA cameras — by staff, practitioners, and visitors are adopted and enforced to avoid potential liability.
Consider the following illustration: a hospital nurse, who has treated a patient for an extended period of time and developed a friendly relationship with the patient, has her picture taken with the patient. Thereafter, the patient passes away. Grieved by the loss, the nurse posts the picture online through one or more of her social media accounts, and perhaps updates her “status” — indicating that she is saddened by the passing of her “favorite patient” that day. Although the nurse’s action might be the online norm for a purely personal relationship, it is entirely inappropriate in the context of a professional relationship involving a patient and a provider. In addition, the post could constitute a violation of HIPAA (even if the patient’s name is not used) if the nurse’s unauthorized disclosure includes other PHI (such as the patient’s date of death, cause of death, the fact or nature of treatment, etc.).
There have been several incidents in hospitals over the past several years that have led to employee suspensions or firings over the inappropriate and unauthorized dissemination of patient photographs. One such example involved a chief resident of general surgery at Mayo Clinic’s Phoenix Hospital, who resigned or was asked to leave following his use of his cell phone to take an inappropriate photo of a patient under anesthesia, which he then showed to his colleagues.
Even more problematic are photos that are taken by patients and visitors that infringe on the privacy rights of other patients. At the University of California at Los Angeles’ Resnick Neuropsychiatric Hospital (Resnick), a patient did just that when he posted photographs taken during a group therapy session to a social networking website. The patient who posted the photos claimed that he had the other patients’ consent, but hospital administrators rejected that claim, expressing their concern that some of the individual patients involved may not have been fully competent to give their consent.
What are facilities to do? After the incident, Resnick completely banned the use of any cell phones or laptops within the facility, regardless of whether they contained a camera or not. Hospital officials took this measure instead of requiring staff to check whether cell phones or laptops contained cameras. Protective measures employed by other health care facilities have included the completion of forms stating that admitted patients (or his or her responsible party) have been informed that they may only photograph their own family members while inside the facility, and that the use of cell phones and cell phone cameras is prohibited or severely limited.
Whatever policy a health care facility adopts, signs should be conspicuously posted that clearly state the nature and extent of the ban on cell phone or cell phone camera usage within the facility so that volunteers, visitors, employees, and practitioners all understand what is permitted. Facilities should consider training staff to require any patient, visitor, employee, or any other individual inside the facility who is observed taking photographs with a cell phone to immediately erase the photographs from the phone.
As technology advances and wireless handheld devices, PDAs, phones, cameras, and computers become ever smaller and more inconspicuous, health care facilities need to proactively respond to the potential privacy violations that the use of such devices presents. The inconvenience of doing so is quite real, but so are the potential costs of violations. Patients may file complaints about privacy violations with the Office for Civil Rights within the Department of Health and Human Services. Such complaints result in an investigation into the incident, and a potential fine of $25,000 for each patient whose medical information may have been accessed or disclosed unlawfully if the facility does not take appropriate steps to resolve the incident and prevent future similar occurrences.
Click here to view the full digital version of the The New Tech & The Law edition of SML Perspectives.