HIPAA Compliance Strategies

Featured Health Business Daily Story Oct. 12, 2009

It’s Time for HIPAA Covered Entities to Update Their Policies on the Use of Cell Phones and Cameras

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

By Eve Collins, Editor,
(ecollins@aispub.com)

Covered entities (CEs) should review and update their policies on cell phones and cameras and make the rules clear and highly visible to employees, patients and visitors, privacy experts tell RPP.

Technology and social networking sites are simple to use and very widespread. A person can take a picture with an iPhone and post it to his or her Facebook page in an instant. In a hospital setting, this might be OK in a birth center for new parents to announce that a baby has arrived, for example. But in other areas of the hospital, photography and cell phone use should be discouraged except in special circumstances.

The stakes can be high for workers if the CE has a low or zero-tolerance policy. In April, four employees were fired from University Medical Center (UMC) in Tucson after an employee snapped a photo of a patient using the camera function on his cell phone. The incident was reported by another employee, and UMC investigated. The employee’s target was an unconscious patient’s “ambiguous genitalia.” He never sent or otherwise shared the photo.

Patients Must Consent to Photos

UMC’s investigation found other employees who had taken pictures of patients in the past, but with the consent of those patients. UMC’s policy prohibits photos from being taken without the written consent of the patient or a family member, the facility said in a statement. The policy also prohibits staff from using cell phone cameras in the facility.

Frank Ruelas, privacy and compliance trainer for CEs, says many of the organizations he works with have very strict policies on photography: They allow it for treatment purposes, then decide on a case-by-case basis to include review by members of the administration and the privacy officer. And all the policies require that patient authorization be given.

There are exceptions, such as when a nursing home patient arrives but is not able to communicate and has stage three or four pressure ulcers on his or her body. The provider would want to document that. But if the patient is communicative, simply ask for permission to take photos of the injuries or sores. “You always want to educate the patient on what your intentions are because you want to build trust,” he says.

And with new technology always appearing, CEs should periodically review and update their policies, says Abner Weintraub, president of The HIPAA Group, a consulting firm. “Policy creation and sanctions are two of the strongest tools they’ve got.” But be sure to write the policy and procedures in plain English. “Most are written by lawyers as if the audience is a group of lawyers,” he notes. “If policies aren’t communicated to employees effectively and if they’re not widely circulated, they may as well not exist. Make employees aware of the policies, and make sure they can understand them,” he says.

When photos are needed for treatment, the CE should give employees access to a digital camera and discourage the use of cell phone cameras. “That helps mitigate much of the potential for further unauthorized disclosure,” Ruelas explains. “With a cell phone, you can e-mail the photo to someone. There’s no way you can do that with just a camera. It can’t happen by accident.”

“I can see where hospitals can take the position to allow cell phone photography technology in extreme cases, but for purposes of documenting PHI, I can’t make that link,” Ruelas continues.

Ruelas says he has seen physicians using their phones to take photos of patients in unique clinical situations. “Maybe the patient has a certain type of injury and they want to document how they proceeded to address the injury,” he explains. In one example, a nurse brought it to the privacy officer’s attention, and the issue went to peer review. The panel acknowledged the validity of the physician’s actions, but said there was no need to use the cell phone camera. The doctor admitted in the review that he could have told a nurse he wanted a photo and that he knew the emergency department kept a digital camera.

The physician received a letter of reprimand. “There is a high level of sensitivity [at] that hospital, and the bottom line was that they need to manage privacy, so [staff members shouldn’t] take a shortcut and use their cell phones,” Ruelas says.

Patients, Visitors Are an Issue Too

It’s not only employees, but also patients and visitors, who have taken photos and sometimes distributed them on their Facebook pages, Weintraub points out. “Some intentions are innocent — here’s Uncle Harry in the hospital,” he says. “Sometimes it’s to document a medical error or bad treatment that a relative or the stranger in the next bed has been getting from hospital employees.”

Weintraub says CEs should make patients aware of their photography policy and have them sign the policy to show that they’ve read it. “When a patient has to sign that he or she will not use their phone’s camera, audio or video, the signature carries a lot of weight,” he says.

For visitors, signs should be prominently posted in hospital waiting areas and hallways. “Just on my personal observation alone, I don’t see enough of them in the medical facilities that I have visited,” Weintraub says. And signs should also be displayed in small clinics and physician practices, he adds. Smaller facilities are often overlooked because breaches at hospitals get so much media attention, but Weintraub says their compliance is important as well.

“For an organization that has strict policies in place, has put signs up, has trained its employees, has a form for patients that spells out the rules for camera usage…if something happens there, the liability is generally far lower” for that facility, he says.

 Is It Realistic to Ban Cell Phones?

Everyone has a cell phone nowadays, and most models have camera features. So is it realistic to ban their use outright? “No,” says Ruelas. “They have become a physical extension of each of us….I can’t think that would be manageable.”

Some hospital policies say that employee cell phone use is limited to phone calls only, excluding not only photography, but also texting, which Ruelas says can also be a major distraction.

While Weintraub has seen complete cell phone bans, he says he doubts they are really effective. “What are you going to do? Search everybody’s bags and purses? How far are you going to go?” Some organizations require employees to leave the devices in their lockers. “They consider that to be a 100% ban,” Weintraub says. “Any portable electronic devices have to be locked up.” He points out that many devices also now come with audio functions that pose as much of a threat as video or still photography.

“We have a lot of people with gray hair trying to deal with social phenomenon that is ubiquitous. Part of the situation with audio and video [devices] that record is not just that the data escape the property, it’s the social networking sites that data are ending up on,” Weintraub says.

Advertise With AIS

Privacy

Site Map