You might assume anyone in healthcare would know better. Smart phones aren’t new. Health care providers have long wrestled with the patient privacy- and medical ethics-related ramifications. Yet once again, smart phones have contributed to a very public black eye for a health care provider.
UPMC Bedford in Everett, Pa. has been cited by the Pennsylvania Department of Health after employees snapped and shared photos and video of an unconscious patient who needed surgery to remove an object from a genital. Numerous employees, including two doctors, were disciplined for being present.
It’s not the first time unauthorized photos were taken of a hospital patient and shared or posted on social media.
- The Los Angeles Times in 2013 wrote about an anesthesiologist in California who put a sticker of a mustache on the face of an unconscious female patient, with a nurse’s aid then taking a picture. That article also reported allegations of a medical device salesman taking photos of a naked woman without her knowledge.
- In 2010, employees at a hospital in Florida were disciplined after taking and posting online photos of a shark attack victim who didn’t survive. No one was fired, with the hospital concluding the incident was the “result of poor judgement rather than malicious intent,” according to an article in Radiology Today.
- Such incidents also have touched medical schools. In 2010 a student at a medical school in New York posed with a medical cadaver and gave a thumbs up as a classmate took a photo posted to Facebook. In a survey, more than half of medical schools reported catching students posting unprofessional content online, including some that violated patient confidentiality. The 2010 incident prompted revisions of medical school policies, with some medical schools banning smart phones from rooms where medical cadavers are dissected.
Regarding hospital incidents, The Los Angeles Times quoted a patient rights advocate as saying, “The idea that people are using their cellphone or even have one in the operating room is crazy. It’s a massive security risk and incredibly insensitive to patients.”
In the UPMC Bedford incident, a crowd of employees, including a doctor not involved in the patient’s care, crowded into an operating room, according to the health department’s investigation report. A doctor said he wanted a photograph for educational purposes, and an employee later said a cell phone was used because the operating room camera wasn’t working. But others took their own photos and videos, which then were shared. About two weeks later an employee informed hospital administrators of the photo sharing, resulting in an in-house investigation and state health department investigation.
“The behavior of these few individuals was abhorrent and intolerable per our policies and standards,” UPMC spokeswoman Susan Manko said in an email. “Upon discovery, we immediately reported it to the [health department], conducted our own investigation, and took disciplinary action, with our corrective action plan approved by the [health department].”
The hospital’s actions include reinforcing privacy-related policies and requiring people involved in the incident to undergo training. Two doctors were suspended and a nursing director was replaced, according to the health department
“Although no hospital and no company can prevent every employee from making mistakes or violating policies,” Manko said, “we try to do everything possible to protect the health, privacy and dignity of our patients.”
UPMC regularly trains employees regarding patient policy and “our values of dignity and respect,” she said.
UPMC is a rapidly expanding health care system that acquired many smaller hospitals in recent years, including some located in rural areas.
When asked about enforcing such policies at newly-acquired hospitals, including seven in the Harrisburg region this year, Manko said, “As we’ve grown, we’ve typically found that our well-defined systems and standards have improved operations of our acquired hospitals–including in the area of patient privacy and staff professionalism. We sincerely believe that this track record will continue for the benefit of our patients in all of the regions that we serve.”
The Bedford hospital has been part of UPMC since 1997.
A law commonly referred to as HIPAA — the Health Insurance Portability and Confidentiality Act — was created in 1996 to set national standards for protecting patients’ medical information and privacy. New potential for privacy violations has accompanied the proliferation of smart phones.
A 2016 article by Becker’s Hospital Review looked at some of the most common violations of HIPAA, all of which can result in a fine. Health care workers posting photos of patients on social media, as well as gossiping about a patient to co-workers or friends, were near the top of the list. Becker’s wrote, “While it may seem harmless if a name is not mentioned, someone may recognize the patient and know the doctor’s specialty, which is a breach of the patient’s privacy.”
Becker’s further said lack of training is often at the root of HIPAA violations, writing “One of the most common reasons for a HIPAA violation is an employee who is not familiar with HIPAA regulations. Often only managers, administration, and medical staff receive training although HIPAA law requires all employees, volunteers, interns and anyone with access to patient information to be trained.”
HIPPA doesn’t require health care providers to obtain permission before taking photos used in the patient’s medical care or to put in their medical record. They also can use these pictures for training and teaching purposes, such as teaching medical students, if they contain no identifying information. Identifying information includes things like the patient’s name and other personal information, and also the patient’s face or recognizable facial details, tattoos and unique birthmarks. They can also use them in outside settings such as conferences, as long as they contain no identifying information. If the photos contain identifying information, they can’t be used unless the patient gives permission.
Pennsylvania has its own set of regulations regarding patient care and privacy, and hospitals must follow them in order to keep their state licenses. In citing UPMC Bedford, the health department said the hospital violated Pennsylvania regulations by failing to protect “the personal privacy, dignity and respect of the patient,” failing to provide care in a safe setting, permitting people not directly involved in the patient’s care in the operating room and permitting people not involved in the care to take photos using personal devices.