Why making videos in healthcare facilities could pose a HIPAA risk
Video recording used to be a complicated, equipment-heavy process. Now, it’s as simple as turning on a smartphone. And videos, once recorded, appear on the internet all of the time. Police body cameras are another growing area where a video is taken every day and in all sorts of locations.
When those videos record activities in a hospital, physician’s office or other healthcare settings, what is permissible? These are questions being raised with increasing frequency and one that is challenging to organizations.
Like so many regulatory requirements or conundrums, the answer is not so clear. Who wants to make the recording, the circumstances surrounding the recording and other factors play into what may be allowed or what could result in a HIPAA violation. While the outcome will depend upon specific facts and circumstances, some HIPAA awareness can be generated by considering a few different scenarios where recording may occur.
A physician starts a patient examination and is seeing a reaction or behavior that is unique, and because of that, the physician wants to be able to show some of the actions or interaction with colleagues. To do this, the physician takes out a smartphone and starts recording. The physician then sends the recording to some physician friends to solicit other opinions or ideas. Was the recording allowed?
Taking the scenario on its face, the physician’s actions would be quite troubling under HIPAA. The physician recorded a patient encounter, so it is highly likely that some amount of identifying information appeared in the video. Second, the video is being stored on what is probably a personal smartphone with potentially unknown security protections. Lastly, the video is then being sent to other individuals who may not work at the same organization, which means information is being sent out into the open, and that concern is not alleviated by the recipients also being physicians.
With all of the potential concerns, what could have been done differently? The physician could have asked the patient for permission to record. The patient’s response then could have been documented and, assuming an affirmative response, the authorization would help in clearing up concerns. An authorization from the individual whose information is impacted is one of the golden keys under HIPAA.
However, the authorization does not resolve privacy concerns around storing information on a personal device or sending the information to individuals outside the organization. From the device perspective, organizations need to have a “bring your own device” policy in place that sets out how and when personal devices can be utilized. If storing HIPAA covered information is unavoidable, then the device should be equipped with appropriate security measures. Good security measures can anticipate the device being lost or stolen, or some other form of compromise.
The last major issue presented by the scenario is the transmission of the information by the physician to friends outside the organization. HIPAA permits sharing of protected health information for treatment purposes, so could sending questions to a peer group qualify? The answer is not clear, as an argument could be made that such sharing is equivalent to the so-called hallway consult. That argument could be questioned, because the hallway consult at least would typically involve providers who were all in the same group or office.
A group of friends who happen to be physicians is different. The friend group likely does not have any relationship with the patient, which would extend a determination that no treatment relationship exists or would exist. Sending information to friends in this context is most likely not consistent with HIPAA requirements and should not be allowed. The situation could be remedied by sending information that is de-identified or seeking a second view from a direct colleague.
A patient presents in the emergency department with several friends. As happens so often now, one of the friends wants to document what is happening. To do this, the friend starts taking short videos and posts them on a social media site. Was the recording a HIPAA violation?
When a recording in a healthcare facility, whether a hospital or medical office, is made by a visitor, the HIPAA concerns become significantly more nuanced. HIPAA only applies to covered entities, business associates and subcontractors. The privacy and security requirements of HIPAA do not apply to patients or their visitors. If a visitor takes a video, that video does not necessarily result in a HIPAA violation. If the patient is not happy, it is ultimately up to the patient to take up that issue with the visitor.
That being said, the healthcare facility should not turn a blind eye to the recording. From the universal perspective, a recording and video policy should be adopted. The policy would not necessarily be limited solely to instances of recording by visitors, but cover all forms of potential recordings. Thinking of visitors specifically, the policy can limit when, who and how recordings could be made. While the facility cannot stop the patient from being recorded by a visitor, it can restrict when physicians, providers or other staff could be recorded, as well as aiming to prevent other patients from being included in the video.
Consideration of other patients is where a facility could run into HIPAA complications. HIPAA expects reasonable efforts to be undertaken to protect the privacy of all protected health information, which means all patients. In the recording context, that obligation arguably extends to preventing or minimizing the inclusion of patients or information in a video. As such, if a facility does nothing to control visitors from freely recording other patients, provider interactions or other bits of action in the facility, a HIPAA risk could be generated.
As a result, a policy covering recording will help to refute such a claim and inform visitors as to what is permissible. Accordingly, the basic tenets of the policy should be clearly communicated, for example, by posting signs stating that recording is not allowed and that the facility can request that any recording made be deleted. In conjunction with publicly posting the policy, staff should be educated and empowered to enforce the policy. While a policy and enforcement may not stop all unapproved or undesired recordings, it can establish the reasonableness of the facility’s approach.
A police officer comes to a hospital because he believes that a suspect connected to a crime is a patient at the facility. The officer is wearing a body camera that is constantly recording and is attached to the officer.
From one perspective, a police officer is no different than any other visitor. The officer does not work for the facility, is not a patient and is arguably arriving to “visit” an actual patient. Because the officer is coming into the facility to see an individual being treated by the facility, the officer should not be treated any differently. That would mean applying the facility’s recording policy. However, the police officer may feel like a different sort of visitor or make an assertion that HIPAA does not apply to them, or that they are otherwise entitled to make a recording or access information.
It is accurate to a degree to state that police officers and other law enforcement officials may be the recipients of protected health information without needing to obtain an authorization or give an individual the opportunity to object. The use and disclosure to law enforcement may be fairly broad, but limited at the same time.
The following are most of the allowed uses and disclosures:
- As required by law, including reporting of certain types of wounds or other physical injuries.
- In compliance with a court order or subpoena or similar administrative request.
- For identification or location purposes, but only information specified in the rule.
- For information about someone who is or is suspected to be a victim of a crime, if the individual agrees or, based upon representations of the law enforcement official, if the person is incapacitated and the information is needed to help catch the criminal and will not be used against the individual.
- For reporting crime in emergencies.
As indicated, the scope of information that can be shared is broad, but does not necessarily permit a police officer or law enforcement official to freely walk around a healthcare facility and record what the officer observes.
The best course for the healthcare facility would be to implement a uniform policy and consistently enforce that policy. Because law enforcement could represent a unique circumstance, coordination between the healthcare facility and the local police station or other law enforcement agency would be beneficial. Advance communication and understanding could help defuse potentially tense circumstances.
The growing popularity and ease of video recordings make awareness of the interaction between video and HIPAA essential. As with so many other areas of HIPAA compliance, advance knowledge can help avoid misunderstandings and negative confrontations.