Reality television fans and others were saddened recently when news of a Kardashian family member’s overdose hit the news. Lamar Odom, sometime beau of Khloe Kardashian, was hospitalized after the incident, and his privacy was reportedly violated when staffers at the medical center where he was treated took pictures of him. The staffers were immediately fired due to this conduct. Lamar’s plight contains a teachable lesson for those employers who must comply with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, which protects the privacy of personal health information (PHI).
Entities subject to the HIPAA include health plans, healthcare providers, and healthcare clearinghouses. While covered entities are not responsible for the actions of a patient’s friends or family, when a stranger takes a photo of the patient, a covered entity may be at risk for liability. The advent of cell phone cameras increases this risk tenfold.
HIPAA does not make distinctions between types of electronic devices but camera phones are most likely included under its expansive definition of electronic media. HIPAA’s section on disclosure of PHI lists “full face photographic images and any comparable images” among the many items that must be removed to render health information individually unidentifiable.
In light of these regulations, it is likely that snapping pictures of patients and health records that are not taken for any clinical purpose is a HIPAA privacy violation. What if this device then falls into the wrong hands, further increasing the risk that PHI is released?
Healthcare organizations, as well as other entities that come into contact with PHI, must keep evolving their overall privacy and security program to ensure that they do not inadvertently release PHI. Consider these three steps to avoid a Kardashian-sized Katastrophe.
Kreate – Policy is paramount: Create a clear policy with enforceable terms. A blanket ban on cell phones will likely be ineffective because taking photographs and videos in the workplace is not one-size-fits-all. Sometimes taking photos or videos is part of doing business, i.e. documenting a patient’s wound. Sometimes an employee may inadvertently snap a photo of another employee, not realizing a patient is in the background; other acts, such as photographing a celebrity patient, make be more calculated. Create a clear and tailored policy that distinguishes what types of pictures are permitted and not permitted, and when photos are and are not allowed. Further, when a photo is necessary for business purposes, it’s always a good idea to use employer-owned equipment – this way, the photo belongs to the organization, not the worker. Ensure the media is deleted from the equipment once they have been placed in the appropriate record storage area.
Koach – The More You Know: Snapping photos has become second nature for so many people. To curb this practice in the workplace, communication policy at all levels – to employees as well as visitors who may have access to patient care areas or other areas where privacy is implicated. If you are healthcare facility, ensure employees are well-trained and ensure your policies are clear to visitors to the facility. Support this education with well-marked signage and perhaps even written policies which employees and visitors must read and agree to as a condition of employment or association with the facility. These steps will also demonstrate that your facility was exercising reasonable measures to protect patient privacy.
Karry Out – Execute Efficiently: Next, consider “secret shopper” moves to determine if policy and training has worked. For example, conduct monthly walk-throughs where you attempt to take a photo in a no-photos area, and see if you are questioned?
Make sure violations are met with consistent consequences so that compliance does not wane over time. Taking active steps to enforce the policy will demonstrate to both your workforce and visitors that you mean business.