Need opinions from RN's for my Ethical Dilemma Assignment!

OK- first, I am Canadian so am not familiar with HIPAA ( or is it HIPPA - sorry, I get confused)

But -I would want to know - did Jane ask the pt's permission to take the picture? Why was a picture necessary? Could she just not discuss what the condition was and subesquent treatment? I feel that the technology of phones being able to take pictures has really invaded people's privacy. As someone with a rare medical condition I am fine with students learning more about the disease, but posting pictures is a little bit too invasive for me. I don't know who sees those pictures or what is being done with them.

Once a picture is taken and sent to another person, we lose all control of that picture. I don't know if I want pictures of me or my medical condition being passed around randomly.

Yes, I believe she violated hippa. Why did she need a picture of the scan? There is no reason a nurse needs to see pictures of the scan. That's the doctors business, not the nurse. No, she should not be expelled from nursing school, as this is a learning experience.

I actually disagree. I do not believe this was a HIPAA violation because there was no disclosure of protected health information.

In order for HIPAA to have been violated, there must be sharing of personally identifiable information without the patient's consent. In this case, there were no identifiers on the picture, and the picture itself (since it does not identify the person) is not protected.

OP, here is a very detailed explaination of wha HIPAA covers and does not cover. UC Berkeley Committee for Protection of Human Subjects

You will see that the first section includes a list of the 18 personal identifiers covered under HIPAA. It does on to describe exactly what protected health information (PIH) is, and what it is not. I'll allow you to read it for yourself, but I've coped a few pertinent sentances below.

List of 18 identifiers

"1. Names;

2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

4. Phone numbers;

5. Fax numbers;

6. Electronic mail addresses;

7. Social Security numbers;

8. Medical record numbers;

9. Health plan beneficiary numbers;

10. Account numbers;

11. Certificate/license numbers;

12. Vehicle identifiers and serial numbers, including license plate numbers;

13. Device identifiers and serial numbers;

14. Web Universal Resource Locators (URLs);

15. Internet Protocol (IP) address numbers;

16. Biometric identifiers, including finger and voice prints;

17. Full face photographic images and any comparable images; and

18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)"

"Also note, health information by itself without the 18 identifiers is not considered to be PHI. For example, a dataset of vital signs by themselves do not constitute protected health information. However, if the vital signs dataset includes medical record numbers, then the entire dataset must be protected since it contains an identifier. PHI is anything that can be used to identify an individual such as private information, facial images, fingerprints, and voiceprints. These can be associated with medical records, biological specimens, biometrics, data sets, as well as direct identifiers of the research subjects in clinical trials."

In nursing school, we were allowed to copy information from the chart to work on our care plans at home as long as we did not copy down any identifying information, such as name or medical record number. This was not a HIPAA violation because the information could not be used to identify the patient.

So, in short, unless the instructor could look at the picture of the scan and identify protected health information about the patient, it was not a HIPAA violation. The picture of the scan itself, with no protected health information, is not a violation.

to quote ashley from yesterday.......

yes, it is a hipaa violation. hipaa requires patient consent for the release of identifiable information, including patient photography beyond the purposes of billing and treatment. patient photography, videotaping, and other imaging (updated)

https://allnurses.com/general-nursing-discussion/hipaa-violation-just-692744-page3.html

yesterday's thread was another good hipaa thread.....https://allnurses.com/general-nursing-discussion/hipaa-violation-just-692744.html

but it was a picture of a picture. did the patient sign consent for the mri/ct to be taken?

im asking a legit question.

I think there is a difference between taking a picture of someone's face (yesterday's thread) and taking a picture of a scan, such as an MRI scan or a CT scan that has no identifiable information.

Here's a few similar examples:

A patient has a very rare abnormal heart rhythm. I want to share it with my nursing class, so I get a copy of the EKG and cut out just the rhythm strip with no name or other information, just the strip. While that EKG strip may be unique to that one patient, the strip alone cannot be used to identify the patient, so it's not a HIPAA violation.

Say I have a very rare brain tumor. Someone takes a picture of my MRI scan with no identifiable information, just the scan. This is not a HIPAA violation either because the image itself is not able to identify me. If someone on the bus has a copy of that scan and they see me sitting next to them they will have no way of knowing that the scan came from me.

Full-face photographic images are protected under HIPAA as one of the 18 identifiers. Test results that contain none of the 18 identifiers are not considered protected health information and therefore not covered under HIPAA.

She probably should have gotten the pt's permission--but generally I don't think this was HIPAA violation if she removed all identifiers. In my mind, just having a 'unique' head CT, does not make it identifiable for a given pt--i.e. someone looking at the CT will not conclude "oh, that has to be Sally Smith." Also, several textbooks/journals have radiology images in them--what type of permission is required from the pt if an author want to put a radiology image in a book (for the record, I don't know the answer to the question, but if the pt gives permission, it is obviously not a HIPAA violation if identifiers are removed)?

Not really related to the ethical question--why would a student in nursing school (not NP/CNRA,etc. school) feel the need to take a photo of the CT for the class? Would I find it interesting? Yeah, but I'm a dork like that. I can hear people from my nursing class right now: "This is dumb," "What am I looking at, and why do I need to see this?" "What a waste of time." Given the scope of nursing school, there is no real need to display this photo to class, and no reason for "Jane" to even put herself in the way of the HIPAA train.

Nope. There are no patient identifiers. Besides there are millions of pictures used in various teaching and education. Just check out a M&M conference.

First, realize that physicians aren't usually employed by the hospital. They are granted privileges to practice there. Physicians have a choice about where they want to send and treat their patients. So it's highly unlikely that the hospital would revoke the "respected" physicians privileges because all they would really be doing is losing patients and money.

Second, since this wasn't a HIPAA violation there would be no point to notifying the hospital. It would just create trouble and make the school look like they are trying to start trouble. I can imagine that conversation:

"I just wanted to let you know that Tech So and So took a picture of a test result, with the permission of Dr. What's His Name and showed her school instructor."

"Oh, was there any a patient in the picture or any patient information on the picture?"

"No."

"Oh, did the patient complain?"

"No."

"Was the image posted on the internet?"

"No. Nobody saw it except the instructor and the employee has deleted it."

"Okay. Goodbye."

Hospital administration is really just concerned with their bottom line. If the patient isn't complaining or threatening to sue, it's not going to matter to them too much. They certainly aren't going to offend a prominent physician and risk losing their patients. They aren't going to want to have to spend the money to hire and train a new tech for an issue that isn't illegal and isn't affecting the patient.