It seems like every new cellphone model these days comes with a camera. And many, like the Apple iPhone, also contain audio recorders. In fact, it’s getting hard to find digital devices that don’t record images, video, or audio. But for Covered Entities (CEs) and Business Associates (BAs) trying to protect PHI, these devices create serious privacy and security challenges.

“Reasonably Anticipated” Threats

HIPAA requires CEs and BAs to protect PHI against all “reasonably anticipated” threats. The problem is, many CEs and BAs don’t know how serious the “digital device” threat is to their PHI. On the other hand, HIPAA entities can’t claim that these threats couldn’t be “reasonably anticipated”, because this  issue is being covered in the general, technical and medical media increasingly often.

So what’s a concerned CE or BA to do?

What Can Be Done?

The first step is to research the potential for abuse in your organization. You should be able to answer the following questions:

1. How and where are digital devices and recordings being used in your facility now?
2. How will you deal with employees and physicians’ use of digital devices for recording images, video, and audio?
3. How will you deal with patients and visitors using these devices?
4. What are the legitimate recording uses, if any, for such devices in your facility?

Based on the answers to these questions, you should create clear policies and guidance for the workforce, patients and visitors. Policies should be circulated to everyone and employee “sign-offs” should be obtained to establish workforce “agreement” to abide by the policies. Consider having patients sign a form laying out the rules and restrictions on recording with digital devices. And consider posting signs in patient and visitor areas that say “No Photography Allowed”, “Recordings Prohibited”, or something similar.

A Variety of Approaches

CEs and BAs today are taking a variety of approaches to digital devices and the recordings they can produce, including:

• Banning all cameras, camera-phones, and audio recording devices from the premises. (Very hard to enforce.)
• Banning digital devices from patient-care areas. (Easier to enforce, but still problematic.)
• Establishing clear policies and restrictions on usage, but not banning the physical presence of relevant digital devices. (More realistic, but still difficult to enforce, as many devices are small and can be used surreptitiously.)
• Ignoring the problem or deferring the issue till “later.” (The riskiest approach of all.)

No “Magic Bullet”

There is no “magic bullet” solution for the privacy and security challenges posed by digital recording devices. Nevertheless, CEs and BAs must attempt to address these challenges somehow, even if only to demonstrate to a judge or jury — after a breach — that they were not guilty of “willful neglect”. Remember, HIPAA violations that involve “willful neglect” carry new investigative and penalty requirements under the recent ARRA expansion to HIPAA. Be careful!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.