HIPAA And Surveillance In Hospitals

Over the years there have been many…too many…instances where doctors have performed the wrong types of surgeries on patients, and even the wrong surgeries on completely wrong patients…

There was a very interesting, and very concerning, news report yesterday, “Rhode Island Hospital Fined for Fifth Surgery Error in Two Years
To summarize,

  • Rhode Island Hospital was fined $150,000 by the Rhode Island Department of Health after a surgeon operated on the wrong finger of a patient.
  • The hospital must also install video cameras in all of its operating rooms
  • All surgeries will have to be watched by a clinical professional trained in surgical safety measures

NOTE: In 2007 in this same hospital, three separate brain surgeries were done in the wrong locations in patients’ brains! The hospital said it would make changes to prevent such mistakes from happening again. This latest incident, in addition to an incident earlier in 2009 when a surgeon operated on the wrong side of the mouth of a patient with a cleft palate, leads many to think it did not.
Of course video and audio surveillance will not PREVENT such incidents from happening, but knowing such recordings are being made will likely make surgeons much more careful about what they are doing because they will know their every move is being recorded.
I’m all for such measures if they will improve healthcare, help doctors to be more diligent about doing the right thing, and make patients healthier overall.
However, something that was not mentioned in this, or any of the other articles I read about the Rhode Island Hospital incidents, was how the hospital would ensure that the videos and audio recordings of such surgeries were used only for that purpose, and would not not infringe upon the privacy of the involved patients.
The definition of protected health information (PHI) under HIPAA includes images or other types of recordings of patients, so the audio recordings and videos would need to be protected according to the Security Rule and Privacy Rule; by not only the covered entities (CEs) but now also by their business associates (BAs) under the HITECH extensions of HIPAA.
Let’s hope Rhode Island Hospital, and any hospital that records surgeries (and there seem to be a lot of them) has comprehensive information security and privacy policies in place, along with effective, regular training and ongoing awareness communications, that help ensure the doctors, nurses and other hospital staff know and understand what they need to do to protect patient privacy. To do this healthcare providers need to:

  • Perform risk analysis for video and audio recording surgery practices to identify potential patient privacy risks, and then implement controls, policies and procedures, to mitigate, or better yet remove, those risks.
  • After creating them, review information security and privacy policies on an annual basis and whenever major organizational changes occur or operating room practices change.
  • Ensure all operating room personnel know and understand the information security and privacy policies, including the HIPAA rules, and comply with them to protect patients’ privacy.
  • Include information securutiy and privacy training not only within the new employee orientation, but also in regular training and ongoing awareness communications, and target operating room staff with training specific to their activities.
  • If video is used where it can be viewed by the public or by non-operating-room personnel, implement procedures to cover the patient’s face or use blurred facial images in the videos. Privacy can be invaded very quickly and irreversibly if simple precautions are not taken. For example, in March of 2008 it was reported that an unmarried woman had a dilation and curettage (D&C) procedure at a community hospital following an incomplete miscarriage. “During the D&C procedure, the woman’s face was shown on the OR video monitor, and she was recognized by someone who passed the OR suite when the door was open. This serious privacy issue came to light after the passerby disclosed the woman’s presence in the OR to other people. Gossip spread around town about the woman’s pregnancy and D&C. It raised a great deal of speculation and was embarrassing to the woman and others.”
  • Make sure the the video images and audio recordings are made available in such a way that they can only be seen or heard in restricted areas and by appropriately authorized individuals.
  • Make sure procedures are created and followed for using audio and video of surgeries for teaching.
  • Create policies and implement supporting procedures to ensure audio and video recordings of surgeries are retained only for as long as necessary to support the surgery analysis, or any authorized, and patient approved, training activities.

Using audio and video to improve healthcare is a great thing, but be sure when using such technologies that security and privacy controls are implemented to ensure the recordings cannot be used inappropriately and result in embarrassing, or worse, the involved patients. Not only is this the right, and ethical, thing to do, it is also required by HIPAA regulations and other assorted federal and state-level privacy and data protection laws.

Tags: , , , , , , , , , , , , , , ,

Leave a Reply