June 7, 2010

Negative Exposure
By Alice Shepherd
For The Record
Vol. 22 No. 11 P. 10

The potential use of cell phone cameras by staff and others forces hospitals to focus on how best to protect patients’ privacy.

“Whenever a healthcare worker takes a picture of a patient, he or she always should use facility-owned equipment because then the photo belongs to the organization, not the worker.”

In February 2009, Mercy Walworth Medical Center in Lake Geneva, Wis., dismissed two nurses for allegedly using their cell phone cameras to take photos of a patient’s x-ray and later posting them on the Internet. This past February, several employees and other individuals at Florida’s Martin Memorial Health Systems allegedly used their cell phone cameras in the emergency department to photograph the injuries of a shark attack victim who later died. After an investigation into possible HIPAA violations, the hospital attributed the actions to poor judgment rather than malicious intent. Disciplinary actions ranged from written warnings and suspensions to demotions and academic probation for paramedic students. No one was fired.

The differences between the ways the two incidents were handled raise serious questions about the use of cell phone cameras. What does HIPAA have to say? Nothing specific; the regulations don’t appear to distinguish between types of electronic devices. However, camera phones are most likely included under the broad definition of electronic media: “Electronic storage media, including memory devices in computers, (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.” HIPAA’s section on disclosure of protected health information lists “full face photographic images and any comparable images” among the many items that must be removed to render health information individually unidentifiable.

Putting two and two together, it’s probably safe to assume that snapping pictures of patients and health records with a cell phone camera is a HIPAA privacy violation. So what can healthcare organizations and their employees do to avoid incidents that tarnish their reputations?

Start With Clear Policy
“The risk of privacy violations and consequent harm has increased tremendously with the proliferation of devices such as cell phone cameras and audio recorders because it’s so easy to upload pictures and audio files from cell phones to the Internet,” says Patricia Markus, JD, MA, an attorney with the Southeast-based law firm Smith Moore Leatherwood LLP. “When a hard copy of a photo or record is handed to someone who is not authorized to see it, the risk to privacy may be lower because perhaps only one unauthorized person is exposed to the information.”

“Covered entities need to keep evolving their overall privacy and security program as new threats and technologies emerge,” says Doug Landoll, practice director for risk and compliance management at the security firm Accuvant. “Specifically, four steps should already be in place and should be updated to encompass new developments: policy, training, formal observation, and testing of controls.”

The preponderance of handy devices that healthcare workers can easily tote around should force hospital management to reexamine its employee bylaws.

“Each institution’s executives, privacy and risk personnel, and legal counsel need to review their policy, what it covers, and how it is enforced,” says Claudia Tessier, RHIA, MEd, president of the mHealth Initiative, Inc and author of Management and Security of Health Information on Mobile Devices. “There are instances when picture taking, say of a lesion, is necessary for clinically justifiable reasons, and therapy sessions are sometimes video recorded. The problem is that cell phone cameras have become ubiquitous, and an employee may unthinkingly snap a photo of another employee not realizing there are patients in the background. Then, of course, there could be the more deliberate employee action of taking a photo of a celebrity or someone they know in the community. It’s important to have a clear policy that distinguishes what types of pictures are permitted and not permitted and to communicate the policy at all levels.”

Any policy has to be well organized and simple to understand if it is to modify behavior. It should also be flexible because absolute policies are difficult to enforce. “A knee-jerk reaction of no cell phones for any reason does not lead to enforceable policy,” notes Tessier. She suggests that rather than preventing cell phone use, a more effective approach aims to ensure patients’ privacy is not violated through picture taking. Once the real issue is clear, it becomes possible to develop policies, procedures, enforcement, sanctions, education programs, and management programs that make sense.

Landoll recommends prohibiting the unauthorized use of camera phones, allowing flexibility for properly secured, hospital-owned cameras using approved applications. Further, if picture taking is permitted in some areas but not in others, the restrictions should be posted clearly, which calls for extra diligence in enforcing the policy.

“Part of the concern about cell phone pictures is with who owns or controls the photo,” says Markus. “Whenever a healthcare worker takes a picture of a patient, he or she always should use facility-owned equipment because then the photo belongs to the organization, not the worker. Even for a legitimate work-related photo that is taken with the patient’s authorization, a worker should not use a personal cell phone because then it is the worker who owns and has control over distribution of the picture. Unless the facility can ensure that the picture is deleted from the worker’s cell phone afterward, the possibility remains that the picture will be released inappropriately to people who have no authority to see it. Facilities that own cameras or video or audio equipment should ensure that the photos or recordings are deleted from the equipment once they have been placed in the appropriate patient records. Hospital cameras don’t usually have built-in e-mail transmission devices so use of these cameras presents less of a privacy risk, but some hospitals allow the encrypted transmission of pictures taken with a hospital-owned camera for legitimate reasons.”

Don’t Frustrate Visitors
What about visitors snapping photos of patients? “Policies vary in that regard,” says Tessier. “It’s my understanding that the patient’s family is not under the jurisdiction of the hospital, but that doesn’t mean the hospital cannot have a policy against their taking pictures. But again, enforcement might be difficult. Visitors should, of course, be cautioned to limit photos to the patient they are visiting—and even then to extend the courtesy of asking them.”

The logistics of preventing visitors from taking photos could become too difficult to monitor, says Markus. “You’d need video cameras in every room to enforce a ban on new dads taking pictures of moms and babies,” she notes. “However, hospitals should consider whether and under what circumstances they will permit camera phones, create clear policies on camera phone use, and clearly communicate those policies to everyone who visits the facility, including patients and families. Although a total ban on cell phone use may not be enforceable, in determining whether to permit some camera phone use, hospitals should consider the possibility that someone may want to take pictures to document that a patient is not being cared for appropriately. To inform patients about a cell phone policy, many facilities provide forms at registration and also post signs or statements in public areas of the facility outlining the policy.”

“If visitors are specifically limited to taking pictures of their own family members with permission, the hospital’s liability may be less,” says Landoll. “But visitors may also be tempted to snap pictures of celebrities or people with ‘interesting’ wounds or conditions in the emergency room. Clearly, that should not be allowed. Again, it’s essential to spell out permitted and nonpermitted behavior.”

Who’s Responsible for Developing Policy?
Posting policy templates online is never a good practice because generic, cookie-cutter policy is weak and won’t be taken seriously, says Landoll. Rather, policy should be aligned with the business mission, tailored to the organization, and interpreted for specific jobs so people know exactly how it applies to them. “Policy always has to start at the top. If it starts at the bottom without executive support, it’s going to become shelfware quickly,” he says. “Even if the privacy officer or an independent consultant writes the policy, it has to be reviewed by the hospital administration. A multifacility system might want a baseline policy that applies to common issues across all locations, with riders or more specific policies for specific environments or unique location-dependent issues.”

On occasion, organizations hire consultants to write policies, but Markus believes facilities should develop their own standards because they understand what works and what doesn’t in their particular culture as well as who is in the hospital on a daily basis. She suggests that any policy addressing compliance concerns such as privacy laws be reviewed by an attorney who is familiar with the issues to make sure nothing is overlooked and the wording allows the facility to effectively enforce the policy.

Back It Up With Training
If hospital employees were asked whether it’s permissible to take photos of patients, most would probably say no. The problem is that snapping pictures with cell phone cameras has become second nature for so many people that they may do so without thinking. That’s where training can help raise awareness.

“Setting policy without providing a rationale and education can be frustrating if not futile,” says Tessier. “Policies have to be backed with training to ensure that all employees, contractors, and others who work within the institution understand that it’s a HIPAA violation to take pictures that are not legitimate from a clinical perspective. The issue can be addressed in HIPAA programs, seminars on patient relationships, or employee orientations. Occasional reminders, as through newsletters, couldn’t hurt. Education won’t completely eliminate the problem, but at least it addresses it.”

Markus says organizations need to educate not only their employees but also others who work at the facility, including medical residents, volunteers, emergency-services personnel, physical plant contractors, lawyers, accountants, and any number of people who move in and out of the hospital on a daily basis and have access to patient care areas. Institutions can set up orientations for volunteers and on-site vendor employees and make training arrangements with medical schools to educate residents. Vendors can also be required to sign a confidentiality agreement that includes the facility’s policy on camera phone use.

 Landoll reminds organizations to update their security awareness training to address cell phone cameras, voice recorders, and video equipment. He also recommends improving security awareness training through social engineering. “When training presents dry information people have heard before, it’s not very effective,” he says. “To make it more interesting, conduct a social engineering experiment two weeks before the class. Try to find leakages of patient information. For instance, call up the administrative office and say, ‘I didn’t receive the fax you were going to send. Here’s my number again.’ See if the employee follows the proper process before sending the fax. If you discuss the results of these experiments at the awareness training, people will start paying attention and improve their diligence.”

The amount and frequency of training depends on the complexity of the organization, its policy, and the roles of those who come in contact with patients or personal health information. “HIPAA requires annual training, but organizations that want to improve their culture may want to do it more frequently,” says Landoll. “At the low end, organizations ask staff to log into a 20-minute computer-based module once a year. Even a quiz at the end would improve it slightly. Live training is much more effective, particularly when it is supported by recent social engineering experiments.”

“Education should be supported by written policies,” says Markus. “To protect against privacy violations, there should be policies about cell phone camera use which people can read, understand, and agree to abide by as a condition of their employment or association with the hospital.”

Observe, Test, Enforce
Landoll suggests further reinforcing policy and training with formal observation of staff behavior. “Once a month or once a quarter, security or privacy officers should inspect behavior by walking around the building and putting themselves in specific situations where they might overhear an elevator conversation, see faxes lying out, or witness the taking or sharing of pictures,” he says. “Another important step is the actual testing of controls. For example, if you have a control designed to prohibit someone from carrying a cell phone into a patient care area, attempt to carry one in and see if you’re questioned.”

What happens when someone is caught in a HIPAA violation and there are no consequences? “If an organization does not correct behavior and impose sanctions for privacy violations, policies are ignored more and more,” says Landoll. “If improper behavior goes unchecked despite strong policies, the unauthorized disclosure of patient information becomes more imminent. People look for boundaries; if you don’t give them boundaries, their behavior slowly slips and the disclosure problems become bigger and bigger. That’s very dangerous to the protection of PHI [personal health information]. If, on the other hand, you take swift and strong sanctions, your culture improves.”

Make It Stick
Whatever policy is developed, leadership must have the backbone and authority to make it worthwhile. “If you create a policy, make sure its terms are clear and that you can enforce it,” says Markus. “Then take active steps to enforce the policy and demonstrate to both your workforce and visitors that you mean business. The onus is on each facility to make sure that they can live with the policy, that it’s neither too strict nor too lenient and that it can be enforced consistently.”

“Any policy has to be clear, appropriate, enforceable, and consistently enforced,” adds Tessier. “Consequences and sanctions should be defined in advance.”

“Sometimes policies and procedures get a bad rap,” says Landoll. “I’ve heard people say, ‘That’s just policy; it won’t stop anything.’ However, I believe that the overwhelming majority of employees seek to do the right thing and if you set effective policy and train them on it, they’ll perform correctly. If you don’t set clear policy, don’t update it, or don’t take training seriously, questionable practices will result. Mercy Walworth Medical Center did the right thing to fire the nurses who allegedly posted pictures of the x-ray online, but Martin Memorial [Health Systems] reacted weakly in the case of the individuals who snapped pictures of the shark attack victim. I’m a strong believer that you always start with policy. Tell people what you want them to do and that’s more than half the battle."

— Alice Shepherd is a southern California-based business-to-business journalist specializing in healthcare topics.