The trusted source for
healthcare information and
Photos of shark victim underscore threat from cell phone cameras
Experts say such actions are HIPAA violations
"Good people who exercised poor judgment" recently took cell phone pictures of a shark attack victim who later died in the ED at Martin Memorial Medical Center in Stuart, FL, according to a statement released by hospital officials. Although no staff members were fired, the hospital has disciplined several ED employees for taking the cell phone pictures and has asked anyone with copies of the photos to destroy them.
Unfortunately, with the rapid spread of cell phones equipped with cameras, such activities have become all too common. "A hospital client of mine recently experienced a [privacy] breach when a trauma nurse on the first day of work in the ED was texting and 'Facebooking' friends about her cool new job," shares Gina Ginn Greenwood, JD, of counsel, in the Macon, GA, office of Baker, Donelson, Bearman, Caldwell, & Berkowitz. Minute by minute, details of patient emergencies were posted "for all the world to see," says Greenwood.
The nurse was shocked to learn this was a prohibited activity, "and unfortunately her career was short-lived," she reports. She was under the impression that the disclosure was allowed because she did not use patients' names. "This is a common mistake," says Greenwood. "Health information that can in anyway be used identify a patient must be protected under Health Insurance Portability and Accountability Act [HIPAA)] privacy and security rules."
Mary Jean Geroulo, JD, MBA, a health care attorney with the Dallas law firm of Stewart Stimmel, says, "This has come up in several facilities. We have had reports of staff whether they are nurses, techs, or even physicians in a couple of cases taking pictures of patients either with horrifying trauma in the ED or in surgery."
Geroulo says she has received reports of pictures posted by people on their Facebook pages offering accounts of "see what I did today" and others being e-mailed to patients who wanted to see what their gallbladder looked like. "Various kinds of pictures have been taken by cell phones when not authorized, and this is an issue many hospitals are struggling with," she notes. "It's more prevalent in the ED, considering that patients often come in with unusual conditions, and people think they are interesting and want to share them with people they know."
What does HIPAA say?
One of the potential causes for confusion among ED staff and leadership is that cell phone cameras are not specifically mentioned in HIPAA - most likely because when the law was created they were not so common.
"I reviewed the HIPAA standards, and while it does not say specifically that cell phone pictures are not allowed, it does say that photos without proper consent are not allowed," says Scott Felten, MD, FACEP, an emergency physician at St. Francis Hospital and an assistant professor at the University of Oklahoma, both in Tulsa. "Where the breakdown occurs is that people have a 'disconnect' when it comes to what they consider a 'picture.' A phone seems like a harmless thing, but a picture is a picture."
Felten's instincts are spot on, says Geroulo. "HIPAA has very broad applicability. It covers anything that qualifies as individually identifiable patent information," she explains. "Typically, we think of things like medical records or X-rays, but it can extend to pictures taken of patients if the information on that picture identifies the individual."
The example of a shark bite victim would fall into that category, Geroulo says. "In and of itself, a picture of a body part may not violate HIPAA, but if something unique and identifiable about that body part links it to an individual it is," she says. "So, in the case of shark bite victims, there is usually an article in the paper about surfer 'John Jones' being bitten in the leg, so when a picture of a leg with a shark bite is seen, the patient can be identified."
Protecting patient privacy became even more critical with the passage of the Health Information Technology for Clinical and Economic Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009 and included strengthening of guidelines and greater penalties for HIPAA violations. There is a series of tiered minimum fines for individual claims and a $1.5 million maximum fine when a group of employees are affected.
Hospitals are required by the HIPAA Security Rule to assess the risks associated with use and disclosure of electronic personal health information (ePHI), Geroulo explains. "Misuse of social media is a risk hospitals likely did not address during initial security compliance implementation, but in light of recent HITECH changes to the HIPAA rules, including the addition of breach notification rules and the enhancement of penalties, now is the time to address these risks and implement policies and training to mitigate the chances of misuse," she says.
It is important for hospitals to train their workforce members - especially the younger ones on the proper use of PHI, Geroulo says. "Recent health provider/clinical graduates are part of a generation that has grown up telling the world, minute by minute, the details of their lives," she says. "Hospitals will need to train these and other workforce members about the proper use of PHI." (For more on how to prevent potential HIPAA violations, see the story below.)
For more information about cell phone camera use in the ED, contact:
Prohibit cell phones to ensure privacy
The surest way to prevent violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving the use of cell phone cameras is to prohibit the use of cell phones in the ED, say privacy experts.
"For our nursing staff, the nurse coordinator has gone to a policy that the use of cell phones is forbidden in the ED beyond use for reference, such as downloading medication guides," says Scott Felten, MD, FACEP, an emergency physician at St. Francis Hospital and an assistant professor at the University of Oklahoma, both in Tulsa. "Any texting, photography, or even speaking on the phone during work is forbidden and can lead to termination."
In addition, Felten says, all residents and other physicians obtaining privileges receive orientation about professionalism and behavior, and residents also receive annual online HIPAA training. "Every year the nursing and ancillary staff must do what the residents do," he adds.
The policy is not an empty one, Felten says. "There was an incident in the last 12 months," he says. "The individual using a cell phone for personal use has been terminated."
Mary Jean Geroulo, JD, MBA, a health care attorney with the Dallas law firm of Stewart Stimmel, says, "Having been on the operations side of things and been responsible for implementing policies, the only way to prevent violations is to prohibit the use of cell phone cameras by staff. Once a picture is taken and they hit the 'send' button, if they delete the picture, administration will not know if the picture that was sent out violates HIPAA."
The simplest way to avoid such a 'horrible proposition' is to prohibit taking pictures of patients with personal cell phones, Geroulo says. While she understands the educational need to take photos, Geroulo argues that cell phones shouldn't be used for those pictures anyway, because "the quality is not that good."
In addition to violating the law, "patients have a right to expect a certain level of respect of their person when they are unconscious and unable to speak for themselves," she says. People who work in the ED have to develop a certain level of casualness as to what has to occur to stabilize a patient as quickly as they can, Geroulo says. "Clothing comes off, body parts are treated in way that is hard for the casual observer," she says. "It's hard enough to know that as a patient, but to have one of those workers take pictures of your body when undergoing a life-changing experience and to have it used for someone's personal gratification I find it to be the most horrifying violation."