I think my employer is violating HIPAA, but when I talk to leadership about it I'm basically ignored.

Updated:   Published

So I work in the OR at a small surgery center.  Although we aren't very big, we do 40+ surgeries a day and have a lot of foot traffic.  During our surgeries, there is a camera attached to the microscope.  The surgeries are then broadcasted live to other parts of the surgery center such as hallways, other OR's, and most importantly, our Pre-OP and PACU areas.

Our Pre-Op and PACU have several patients in them at any given time and the patients in those areas are able to see the surgeries of other patients as they're happening.  The surgeries being broadcasted do NOT have any patient information on the screen and you cannot see any identifiable features of the patient themselves, just the surgery that's being performed.  

Even though there is no visible patient information on the screen, I still feel as though this is a HIPAA violation.  I've brought it up more than once to leadership, but I'm told that since there is no "identifiable information" on the screen that it's fine and I should just let it go.  The reason I'm given for the live broadcast in PACU is so the staff knows when a procedure is about to end and they can prepare for that patient to be brought out.

Is this a HIPAA violation or am I just overreacting?  If it is a violation, what can I actually do about it since leadership doesn't seem to think it's an issue?

Up Vote Up Vote ×

I've been searching around a little and thinking about this and don't have a solid answer for you.

It wouldn't surprise me at all to find out that this is one of those sort of cringe-worthy things where commonsense would tell most people that it doesn't have the best optics but have a hard time proving that it is specifically prohibited.

JCAHO/TJC/[Whatever they call themselves now] requires patient consent for some uses/disclosures.

HIPAA requires patient authorization for some uses/disclosures.

Based on a couple of HIPAA-related lectures and online info, I can go one of two ways with this:

1) It does (or could) identify a patient but does not require consent because it (arguably) could fall into one of the categories that do not require consent, and it does not require authorization  (which is HIPAA-related) because it (arguably) could be said to be de-identified patient info.

or

2) It could arguably be considered "date-stamped" patient info in a round-about way....I.e. the date of admission/treatment is clearly known because it is real-time, and would therefore be subject to HIPAA and would require patient authorization even if it doesn't require consent according to JCAHO, as specific dates of treatment are considered PHI.

Additionally, if it does require either consent or authorization, this could already have been taken care of in pre-admission/admission paperwork.

I think the optics of having a patient sitting in PACU cognizant enough to see the videos and then having another patient roll into PACU whose surgery was just broadcast and then having people at the bedside verbally discussing patient identifiers, etc., are just bad. Even if it is all allowable due to concepts like healthcare operations (a permitted use of PHI). No patients need to be entertained by looking at the inside of Mr. Smith's colon while biding their time in PACU. That's just unnecessary.

Unrelated angle: Why are PACU staff supposed to be paying attention to what is going on with a surgery video instead of solely attending to the patients in PACU? Last I knew the telephone and text messaging still work...not too hard to say so-and-so is coming out in 5...

2
Up Vote Up Vote ×
Specializes in OR, Nursing Professional Development.

This seems like overkill for being able to tell when surgeries are wrapping up. We use Epic and certain time stamps are color coded on our status board that are able to be viewed by all staff when logged in. The preop and PACU can monitor that way. When the patient turns yellow, the surgeon has begun closing and PACU should expect a call a few minutes later for a bay assignment. When the patient turns green, they have arrived in PACU and preop should anticipate the circulator arriving in preop to pick up the next patient in 5 to 10 minutes. 

As far as consent, many surgical consents include a line item regarding photography and video. Some actually read and will cross out, others don’t read, others read and are OK with it. 

5
Up Vote Up Vote ×

In April, May, and August of 2019 CMS cited MDAnderson for a lot of things one of which was similar to what you describe.

In May CMS said that deficient practices in Patient Rights, Infection Control, and Surgical Services posed an Immediate Jeopardy to patient health and safety.  CMS implemented more aggressive oversight of MDAnderson.

On their tour of the surgical area they went into the Anesthesia workroom and found surgeries displayed on monitors in the room.  They said patients had not consented to having their surgeries displayed on monitors in other areas.  They also pointed out that materials management, housekeeping, etc. could see these patients' surgeries.  That was a violation of patient rights.

CMS said that MDAnderson failed to "provide privacy to its patients in their surgical suites without fully disclosed consent, displaying electronic monitoring of surgical areas on monitors in the anesthesia workroom in POD A and POD B of the surgical area."

Look at pages 17, 42, and 56

https://www.scribd.com/document/433442798/450076-md-anderson-a-2567#from_embed

2
Up Vote Up Vote ×
+ Join the Discussion