Charles Barrow

At your facilities, are patients or their representatives typically informed after an NGT is inserted into a lung?

Exactly! You’ve confirmed one explanation for why shadows may not be able to answer questions relevant to HIPAA. I’ve not been able to find any published evidence one way or the other on shadows’ understanding of HIPAA following the workshops they’ve taken. The few shadows to whom I have spoken who remember being asked a few questions following HIPAA workshops said that they could have answered the questions correctly before they took the workshops. I’d also like to add that knowledge of the number of fines imposed by DHHS on hospitals for privacy violations committed by professional healthcare providers should give us pause when directors of shadowing programs try to reassure us that shadows (who tend to be younger than seasoned professionals and, as you say, are laypeople) can be trusted with private information. This is an assumption they make; they have no evidence of its veracity. Even more telling is that a majority of shadows admit that they never had any HIPAA training to help prepare them for their shadowing experiences. More specifically, Erik Langenau and his co-authors found that among the osteopathic students studied who had shadowing experiences before medical school, 48% were first required to undergo HIPAA training; only 40% of osteopathic students who shadowed while in osteopathic school reported that they were required to first complete HIPAA training. (2019. Survey of Osteopathic Medical Students Regarding Physician Shadowing Experiences Before and During Medical School Training. Journal of Medical Education and Curricular Development. I already understand deviance at several levels of explanation. For any number of reasons, the study of deviance and crime in the healthcare institution has been largely neglected. There is a lot of descriptive stuff but few efforts at explanation. In fact, although the words you’ve written don’t add anything to what is already known about the etiology of deviance and crime, they do constitute a reiteration of some of that knowledge. Funny, I can’t think of a better example of an overreaction to someone calling out a patient’s name in the waiting room than what you’ve given. But, really, in order to make a determination of the propriety of calling out a patient’s name in a healthcare clinic’s waiting room, I’d have to have more information than you’ve provided. HIPAA addresses the issue in “HIPAA Waiting Rooms” 2021 Compliancy Group https://compliancy-group.com/HIPAA-waiting-rooms/ It does not give specifics but does appear to afford providers considerable discretionary latitude by defining the calling out of names “incidental disclosures” and mandating only that a facility put in place “reasonable safeguards to protect the privacy” of PHIs (of which patient names are a part) such as “implementing technical solutions to mitigate risks and workforce training.” In my experience, one technical solution is to give each waiting-room patient a mechanical alert, hand-held device that beeps or flashes when providers are ready for a patient. Short of that, beckoners call out first names or last names preceded by customary titles of Mr. or Ms. I don’t believe I have ever heard a beckoner call out both first and last names. In my opinion, any intervention on the part of authorities to a pattern of privacy breaches in a facility – whether they be by internal compliance officers, Joint Commission site visitors, or a HIPAA representatives – the response should be measured and proportional to the seriousness of the breaches. For example, to show maximal respect for patients, facility administrators may train their staff to use formal titles when calling out names – e.g., Dr., General, Senator, President so-and-so. The desire to show maximal respect to patients by using their formal titles may be perceived as commendable but, at the same time, wrongheaded because of the ease with which they could be tracked down by people with malevolent intent. By way of illustration, in Oath Betrayed: Torture, Medical Complicity, and the War on Terror,” Steven Miles, M.D. (and in his other publications) gives the names of physicians at Abu Ghraib whose major task was to keep prisoners alive so that they could be tortured and humiliated. I was able, within minutes, to track down a number of these physicians. I found out where they lived, where they did business, what they had done since the Abu Ghraib debacle, things about their families and their lives before becoming physicians, patient evaluations, whether any grievances had been levied against them, etc. Were members of some healthcare regulatory organization to get wind of this practice by a facility, it would probably be considered by most to be too heavy-handed to slap the facility with a big fine and more even-handed to inform them of the possibility, albeit remote, of negative consequences of their practice and to recommend ameliorative changes. They may also respectfully recommend that a facility explain to patients in writing why its modified policy is what it is and that if providers want to show maximal respect to patients by using their formal titles, it would be best to do so in private places rather than public places such as waiting rooms. However, were the facility to obdurately continue its practice unabated, more punitive sanctions could be in order. My previous suggestion that breaches of privacy be nipped in the bud is pertinent to this discussion. Borrowing from deterrence or rational choice theory, I have in the past suggested that predatory crimes committed by healthcare providers will diminish in frequency were they nipped in the bud. Healthcare predators groom their prey just as other predators do. The predatory behaviors of Larry Nassar, for example, may never have reached the level they did had the healthcare community collectively come to the defense of his victims. Instead, except for a few who worked closely with him, they came to his defense and did so, in some cases, viciously – for about 20 years. For example, Malcolm Gladwell writes, “Many people close to Nassar backed him even after [a newspaper ‘published a devastating account of Nassar’s record’]. Nassar’s boss, the Dean of Osteopathic Medicine at Michigan State, allegedly told students, ‘This just goes to show that none of you learned the most basic lesson in medicine, Medicine 101…..Don’t trust your patients. Patients lie to get doctors in trouble”’ (Talking to Strangers, p. 127). I know more than a few physicians who took this lesson to heart. One boldly told me, “If anyone wants my services, they can only get them with my chaperone present. They have no say in the matter.” The irony is, that Nassar committed some of his crimes in the presence of other healthcare providers who stayed mum rather than incur the wrath of Nassar and his defenders. The anecdote I gave involved the surgeon, the anesthesiologist, three nurses and maybe a tech. They first prepped me and then the patient in the cubicle next to mine. The earlier anecdote I wrote about the young lady who inadvertently shared information about her sex life with me, there was just the two of us in the entire ER along with a physician who was interviewing her. These episodes were not a consequence of “a harried RN or assistive personnel” in which physicians were uninvolved. Indeed, it was clear to me that these behaviors were institutionalized (part of the system of care). Being harried, harassed and hoary may increase the likelihood of privacy breaches, but they are neither necessary nor sufficient explanations for them. Of course the ways social systems are organized and structured help determine people’s behaviors or, in the words of Emile Durkheim, social facts determine psychological facts. However, just because social systems help determine people’s behaviors, it does not necessarily absolve individuals of responsibility and accountability for their actions. Explanations are not the same as justifications; they impute empirical responsibility while justifications impute moral responsibility. Retributive justice demands that the little guy pay for his crimes commensurate to the damage he has done and ditto for the big guy. When retributive justice is served, however, it (and injustice) is more likely to be served to the little guy than the big guy. For example, the book has been thrown at members of the illegal drug trade who took advantage of the opioid crisis reportedly created in large measure by members of the Sackler family who, so far, have not been held accountable for their role in creating the crisis. (see, Beth Macy.2018. Dopesick: Dealers, Doctors, and the Drug Company That Addicted America) Indeed, prosecutors have reportedly not been able to find a law under which they can be prosecuted.

It is not necessary to have seen shadowing take place to know what HIPAA’s position on the subject is. There are 8 district offices with district managers who help administer HIPAA. The district managers are expected to be expert spokespersons for HIPAA and I imagine there is considerable consistency among them regarding what the rules are as they pertain to prior consent for shadows. The manager with whom I communicated by email clearly stated that shadowing programs are considered by HIPAA to be “health care operations… [C]overed entities are free to design their own policies and procedures surrounding access to patients’ PHI” for programs that are classified as “health care operations.” Those who administer shadowing programs may, therefore, decide to require shadows to get prior consent, not require them to get prior consent, get consent under some circumstances but not others, get consent of some patients but not others, etc. It appears that you have been exposed only to programs that require shadows to get prior consent. That’s in keeping with the standards set down by the Joint Commission and the AMA’s Code of Medical Ethics. Apparently, HIPAA authorities are just as “happy” with programs that require consent and those who don’t, all other things being equal. Authors of many publications who have been shadows or have administered shadowing programs express the mistaken belief that HIPAA requires prior consent before shadows can observe. They make this assumption probably because they believe HIPAA is supposed to function to protect patients’ privacy rights; not getting prior consent, they believe, violates those privacy rights. Administrators of shadowing programs who believe this fiction require shadows to get prior consent. Other administrators of shadowing programs are aware of HIPAA authorities’ position and, if they are so inclined, don’t require shadows to get prior consent. An interesting empirical question is, how would administrators of shadowing programs who require prior consent because they believe HIPAA requires it behave if they found out they were, in fact, “free to design their own policies and procedures surrounding access to patients’ PHI.” Would they keep the requirement, drop it, or modify the shadowing program in some other way? These were laypeople who, in order to shadow, were required to complete HIPAA workshops (some facilities don’t require this) where the concepts privacy and confidentiality were used. One would think that they would have been taught to make a distinction between the two. Of course, the answer to one question is not sufficient for determining how well respondents understand HIPAA. I have interviewed some providers who think that HIPAA has virtually everything to do with the protection of PHIs in written/electronic form (e.g., EMRs) and verbal form (talking about PHIs only to those who have a need to know) but virtually nothing to do with the protection of personal privacy (e.g., getting consent to observe or photograph treatment). It seems to me, rightly or wrongly, that HIPAA is heavy on the former and light on the latter. I’d hypothesize that an assessment of the punitive actions taken by HIPAA authorities against offending healthcare organizations would support this hypothesis. You see “with very few exceptions, people trying to comply with the law and with their facility’s individual privacy practices.” I see the same thing. But I also see people who violate folkways, mores, laws, and their facilities’ privacy policies. I see clinics that have practices based on policies that are legally and/or ethically questionable and to which their providers conform. I see people who work in facilities that have no privacy policies other than HIPAA and others that work in facilities that have their own privacy policies in addition to HIPAA. I draw no lines regarding what I observe around me. I stay as focused and as attentive as I can when I interact with others in healthcare facilities because it’s from them that I gather my data. The majority of them do not violate rules that govern social behavior, ethical guidelines, and legal requirements. Those who study deviance, however, tend to be interested in the exceptions; it’s the deviance they want to understand. I didn’t suggest that your and your colleagues’ efforts to comply with the law isn’t “good enough.” How could I? I’ve never seen you or them in action to make that determination. Nor did I claim that “trying to do [your] best is merely ironic.” The irony is that before HIPAA, I knew providers who said the same thing as you wrote about privacy but had different and varying understandings of the word, possibly because, in part, its meaning was not standardized by some regulatory agency, such as HIPAA, as it is now. Privacy is generally conceived as a right by medical ethicists. It is likely to be discussed beneath the more general right to autonomy along with the rights to informed consent, dignity, self-determination, bodily integrity, none of which is mutually exclusive. Some healthcare organizations give patients a “Patient Rights and Responsibilities” document which supplements an explanation of HIPAA. The rights listed usually include the right to be treated with respect, the right to privacy, the right to refuse treatment, the right to dignity and the like. If an organization knows there is a patient responsibility (e.g, follow clinic policies) that trumps a patient right (e.g., privacy), it is ethically and sometimes legally obligatory to inform the patient of the gap so s/he can make an informed decision about whether or not to seek care at that facility. I won’t quibble with that. You’ve recognized a gap between what Americans’ value and what modern life affords them. If you go to HIPAA Journal and read about HIPAA violations that have been addressed by HIPAA authorities, you’ll probably conclude that the largest percent of them involve irresponsible behavior by some people in healthcare that has led to the release without consent of 1000s of EMRs. You know of a patient who took umbrage at his/her name being called out in a waiting room and filed a complaint with the facility or with HIPAA? Appears to be an overreaction -- an effort to make a tornado out of an innocuous breeze. You asked me if I was “researching the actions of mostly entry-level worker” and if I was “hoping to catch criminals at the staff/employee level.” I listed the statuses of all the people with whom I have had exchanges in healthcare facilities. I don’t count the number of each when I go to a facility.  However, were I to guess with whom, overall, I have had the greatest contact, it is probably not with physicians and highly paid administrators of healthcare organizations. Here are two things, among others, I want to see. I want to see to what extent the “mortification of the self” (replacement of one’s identity with another to accommodate to social changes) occurs in healthcare facilities in which exchanges tend to be ephemeral (e.g., outpatient facilities, clinics) rather than in “total institutions” (e.g., in-patient hospitals, psychiatric hospitals) where exchanges tend to be long-lived (see Erving Goffman, Asylums). I also want to see whether or not there is a gap in healthcare organizations between ideal norms and real norms, to what extent do those gaps occur if they exist at all, and in what social situations do they happen. You are correct. I also write about the influence of healthcare organizations’ non-material culture (values, beliefs, norms, language). Most of the data I collect has to do with interactions among individuals in healthcare settings. In other words, my research is social psychological in nature. One can make hypotheses about the system, structure, or institutionalized practices of an organization by noting patterns of social exchanges that occur between and among players in the organization. In some of the things I write, I reference others who address social systems and their effects in and across organizations and institutions. James Stewart’s book Blind Eye was as much about how the system opened up opportunities for Dr. Michael Swango to kill dozens of hospital patients as it was about Swango himself. Charles Graeber did pretty much the same in his book The Good Nurse about Nurse Charlie Cullen who may be the most prolific serial killer in the U.S., having murdered as many as 300 hospital patients. Dr. Steven Miles (Oath Betrayed: Torture, Medical Complicity, and the War on Terror) wrote about how the system made it possible for doctors at Abu Ghraib to violate their Hippocratic Oath.

Ditto! I had two cataract surgeries over the last 6 weeks at which time I was made privy to personal information about other patients and I suppose they were made privy to mine. Given what I heard and said, I think my information was more private than theirs. ? We were being prepped for surgery in cubbyholes separated by curtains. I estimate that we were about 5 to 6 feet apart. There were two other prep locations which would have allowed greater distance between us. The nurses who gathered information spoke more loudly than they had to when they gave and received information and the patients followed suit. The anesthesiologist, however, was very quiet and the patients followed suit with him, too; I heard the anesthesiologist and patient speaking at each visit, but could not decipher the words. I fell asleep. I suppose when you write about “the law,” you are referring to HIPAA as well as other federal laws and state statutes. I would add to that the idea of upholding ethical principles (autonomy, non-malfeasance, beneficence, and social justice), which may loosely be conceived as “the spirit of the law,” given that laws tend to originate with social mores (morally important norms) which are often reflected in ethical documents. The AMA’s Code of Medical Ethics Opinion 3.12, for example, advises – “When individuals who are not involved in providing care [e.g., shadows] seek to observe patient-physician encounters, e.g., for educational purposes, physicians should safeguard patient privacy by permitting such observers to be present during a clinical encounter only when: 1. The patient has explicitly agreed to the presence of the observer(s). . . 2. The presence of the observer will not compromise care. 3. The observer understands and has agreed to adhere to standards of medical privacy and confidentiality.” This is a mos (singular of mores) that forbids shadows to observe without patient consent, but it is trumped by the law (or at least HIPAA authorities’ interpretation of the law) which permits shadows to observe without patient consent. In other words, the AMA does not have the authority to enforce its ethical expectations and sanction violators for deviating from those expectations. Unless there are other authoritative sources of social control, such as the Joint Commission, “covered entities” are free to permit shadows to observe patients’ encounters with preceptors without prior consent. In my personal experience, with few exceptions, of the three conditions listed in the last paragraph, the only one with which providers tend to be most concerned is the third. That may be because it is the only one required by HIPAA – the law. I was told by compliance officials (without evidence*) that all shadows agree to “adhere to standards of medical privacy and confidentiality” by signing a HIPAA confidentiality form. However, I have been unable to find evidence that shadows fully understood “standards of medical privacy and confidentiality.” The 12 shadows with whom I spoke were either not tested over what they learned or, among those who were tested, I found out that the levels of validity and reliability of the tests had not been established. Moreover, they could not answer the few simple questions I asked them, such as the relationship between privacy and confidentiality. In retrospect, I wonder if they knew what HIPAA stands for (a question which I have posed to 81 allied healthcare workers). I cannot claim that the samples I’ve taken are representative of any population on any variable, but what I’ve found should give pause to those who believe that policy (as set forth in shadowing preparation materials) equals practice. There is irony in your exhortation that “each of us use our best judgment to maintain the degree of privacy possible in our settings.” Before HIPAA, many providers to whom I spoke about privacy issues tended to sigh, wax philosophical, and say something to the effect, “I guess all we can do is that ‘each of us use our best judgment to maintain the degree of privacy possible in our settings.’” Unfortunately, before HIPAA, the understanding of what constituted privacy varied across healthcare facilities and individuals in them and the way to deal with privacy intrusions varied in the same way. HIPAA brought some degree of consistency and continuity to understanding privacy and dealing with unnecessary privacy intrusions. Healthcare providers acting on the old way of understanding privacy not infrequently violated social mores. Nowadays, if a healthcare facility acts on these old understandings, they run the risk of being slapped with a fine by HIPAA. Just ask administrators at N.Y. Presbyterian Hospital (HIPAA. 2016. “New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients.” HIPAA Journal. (April 22). Retrieved June 6, 2021 https://www.hipaajournal.com/new-york-hospital-fined-2-2-million-for-unauthorized-filming-of-patients-3402/), Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital (Jessica Davis. 2018. “3 Massachusetts Hospitals Fined Nearly $1 Million by OCR for HIPAA Violations.” Healthcare Security Forum. (September 21). Retrieved June 6, 2021. https://www.healthcareitnews.com/news/3-massachusetts-hospitals-fined-nearly-1-million-ocr-HIPAA-violations) The disturbing thing here is that hospital administrators and participant healthcare providers not only believed that they did not violate HIPAA; they believed they did not violate social norms. This suggests that they were emersed in a deviant subculture; they sported and may still sport a set of beliefs, values, and norms that are inconsistent with the values, beliefs, and norms of the greater society. If so, if HIPAA were expunged, if there were no other laws to deter providers, and if there were no internal controls, then one would expect that providers who embraced the lax old ways of understanding privacy would again exploit the opportunity to violate the privacy rights of their patients. * Evidence could be provided without compromising the identity of shadows by conducting evaluation research and aggregating the data. None of the programs with which I had contact while doing a participant observation study had done evaluation research that included this information. In the first sentence, you seem to be “tilting at windmills” or, more precisely, “attacking straw men.”* I don’t know anybody who makes a claim that we live in such a world. I know I don’t. And, I can envision healthcare providers unintentionally sharing an unwitting patient’s personal information to a thief who uses the information to burgle the patient’s house. I’m confused by your second sentence. What point are you trying to make? You suggest that the preoccupation with privacy issues is due to emotional insecurity and then you correctly assert that the reality is that our “private affairs are less private than ever before.” But isn’t this exactly what the so-called insecure patient is concerned about? What you’ve written reminds me of a convict in “Scared Straight.” To the young men who were the victims of this program, he said: “I wake up every morning wondering if I’m going to have to kill or be killed. That’s not paranoia, that’s reality.” I’ll paraphrase what I think your point is. “Some people go too far in their concern and quest for privacy. This overzealousness trivializes what I believe to be the more important things in life. The cause of this overzealousness is emotional insecurity.” Now, the average Joe or Jane would probably agree that if a homeowner went bananas over someone stepping on his/her lawn and labels the trespass a privacy intrusion or an invasion of personal space, then that person probably has a personality disorder or emotional disorder. But maybe you’ve read something on this blog or some other blog that deals with privacy issues in healthcare that you believe are trivial enough to be considered evidence of the emotional insecurity of the poster. If so, will you tell us readers what it is? In the meantime, I’ll play the role of those who zealously pursue changes that would bring about greater respect for people’s right to privacy in healthcare and who are labeled by some people in and out of healthcare as overzealous and emotionally insecure. Martin Luther King was labeled overzealous and, consequently, maladjusted, because of his indefatigable efforts to bring about racial equality via the reduction in racial discrimination and segregation. Let’s imagine King was also interested in eliminating unnecessary threats to patients’ right to privacy in healthcare settings. Let’s also say that his detractors labeled him overzealous and emotionally insecure because of his efforts. Here is how he might have responded? “There are some things within our social order to which I am proud to be [emotionally insecure] and I call upon you to be [emotionally insecure] with me. I never intend to [feel secure with violations of people’s right to privacy. The violation of privacy rights is a “glaring evil… It relegates the [recipient] to the status of a thing rather than elevates him to the status of a person.” It is “not only politically, economically, and sociologically unsound but it is morally wrong and sinful.” It is “morally wrong because it deprives man of freedom, the quality that makes him a man” and because “it injures one spiritually. It scars the soul and distorts the personality. It inflicts the [offender] with a false sense of superiority while inflicting the [offended] with a false sense of inferiority.” Privacy is one of Americans’ most highly valued rights as evidenced by, among other indicators, its enshrinement in the penumbra amendments of the U.S. Constitution (First, Third, Fourth, Fifth, Ninth, and Fourteenth) which originated with the U.S. Supreme Court’s 1965 decision Griswold v. Connecticut. It is the Fourth Amendment that is the exemplar of privacy rights; it recognizes “[t]he right of the people to be secure in their persons, houses, papers, and effects.” The founding fathers, in their vast wisdom, chose to put “to be secure in their persons” (personal privacy) before the right to be secure in, what amounts to, their property (houses, papers, and effects). However, many if not all healthcare facilities seem to turn this order upside down by imputing greater value to personal property than to personal privacy (e.g., bodily integrity), as indicated by their readiness to unnecessarily compromise the latter while, at the same time, securing even property of little worth (pencils) under lock and key. And then when they are caught with their hands in the cookie jar, they will invariably, with tortured disingenuousness and in the face of contrary evidence, beseech the public thusly: “Our facility ‘is deeply committed to … protecting the rights of all patients.”** American’s right to privacy is being threatened today on numerous fronts as it never has in my lifetime – by the government, by the courts, by the media, by new technology, and by healthcare organizations. George Annas recognized the latter in his 1988 publication “Judging Medicine” where he dubs the modern hospital at that time as a “human rights wasteland.” As many of the privacy rights defended by Annas (e.g., right to refuse medical treatment) but denied to Americans in 1988 became well established, other breaches of privacy rights became emergent (those created by new technologies, demographic changes in healthcare, and the corporatization of healthcare). Healthcare organizations have been promoted from human rights wastelands to human rights abattoirs. And, one last thing, in the U.S., the expressions “nip it in the bud” and “if you give them an inch, they’ll take a mile” tends to be applied to the powerless in society – e.g., to children, poor people, and ethnic/racial minorities. It tends not to be employed to deter the deviant behaviors of those in positions of authority. In particular, high-class predators who are in positions of power over others tend to groom their intended victims. Larry Nassar, for example, began his molestation of Olympic gymnastic hopefuls with what was defined by authorities to whom victims complained as trivial and well within the boundaries of standard care. They chose to “worry about other things,” if they worried at all. They worried about other things for 20 years before Nassar was arrested and sentenced to spend the rest of his life in prison for full-blown sexual abuse which could have been nipped in the bud. * “A straw man fallacy occurs when someone takes another person’s argument or point, distorts it or exaggerates it in some kind of extreme way, and then attacks the extreme distortion, as if that is really the claim the first person is making.” ** Fred Donovan. 2018. “CMS Finds Minnesota Hospital Violated Patient Privacy Rights.” Health IT Security. Retrieved June 8, 2012 https://healthitsecurity.com/news/cms-finds-minnesota-hospital-violated-patient-privacy-rights I was trained as a criminologist and sociologist. Simply put, criminology is the systematic/scientific study of crime and delinquency. The sociological parallel to criminology is the study of deviance which includes not only violations of laws but also violations of folkways (customs) and mores (morally/ethically important social norms that usually, but not always, are the bases for laws). In my role as sociologist/criminologist, I do not catch criminals; I make note of the crimes and other deviancies I observe, are told about by interviewees, or glean from other sources no matter what the status of violators or the conditions under which the violations occur. I interpret what I observe, look for patterns in my data, create typologies of deviancies, explain them, and ultimately derive ideas for actions designed to ameliorate any problem I identify. The only actions I’ve learned about that may be among the “dark figures of HIPAA violations” were reported to me by others. My field observations have not resulted in any evidence of HIPAA violations, if one defines a HIPAA violation as what HIPAA authorities define as a HIPAA violation. I have not limited my field study observations to those at “the staff/employee level.” I have observed exchanges I and others have had with doctors, RNs, BSNs, nurse assistants, PAs, MAs, technicians, scribes, chaperones, shadows, company reps, clinic/hospital clerical workers and administrators, students (from elementary to medical schools), hospital/clinic volunteers, hospital/clinic photographers, friends of providers, and family members of providers (including their children). In one hospital, I and other patients may have been observed by employees who controlled surveillance equipment that videoed taped activities in rooms where surgery preps took place, ORs, ERs, patients’ rooms, and other places where patients had a reasonable expectation of privacy. Regarding the latter, in the conditions of admission document, patients were informed that this surveillance was to protect us and others. I have personally observed breaches of etiquette (folkways), breaches of mores that are not legal violations, and what can technically be construed as breaches of civil laws (e.g., intrusion on seclusion) and criminal laws (e.g., battery).

As far as I can tell, you are correct; I have been unable to find anything about shadowing programs in HIPAA documents. However, HIPAA authorities do address shadowing. That’s one of the reasons I distinguish between HIPAA and HIPAA authorities, one of whom is the regional manager I cited on 5/31. I have been conducting research on shadowing for some years now. To guide my observations, I have used McDade’s conceptualization of a shadow: to paraphrase McDade, shadows are individuals who accompany licensed healthcare providers into locations where these providers care for or treat patients. The role of a shadow is to observe the exchanges that occur between providers and patients; they engage in no hands-on activities. They strive to remain as unobtrusive as possible, especially during an examination. Shadows’ communications with patients and preceptors occur primarily, if at all, before and/or after the provision of treatment or care. This conceptualization encompasses, among other people, “someone who is not a health professions student” as well as shadowing “by a health professions student with a formal agreement . . . or something like a job candidate.” Using this conceptualization, between 2008 and 2020, I identified 38 shadows who joined me and their preceptors in examination rooms. In only 3 (8%) of the visits was prior consent secured. Without going into detail, here are a few of my other findings. On most occasions, the first time I saw a shadow at a healthcare facility was in an examination room. Most shadows were not introduced to me. I was not introduced to any of the shadows. Some shadows believed that informing me that they would be present to observe constituted getting permission. Some preceptors believed the same. Shadows were taught to use this approach in lieu of asking permission because it was believed to increase the likelihood that patients would permit them to observe. On those occasions that I was subjected to the scrutiny of shadows, I was never thanked for my service. In the last 6 weeks, I visited healthcare facilities 4 times during which shadows accompanied providers. The same pattern I noted between 2008 and 2020 was pretty much repeated except that one shadow thanked me for my service – an unexpected first of its kind for me. I have reviewed 15 online descriptions of shadowing programs so far. Within these descriptions are program policies. The rigidity of these policies’ adherence to a set of criteria that would protect patients’ privacy varies across programs but are, in general, high. However, there is inevitably some gap between policy and practice or what sociologists call ideal norms and real norms. I first measured that gap in the 1970s when I made site visits to healthcare facilities as a program evaluator and program developer helping them prepare for site visits from what was then called the Joint Commission on Accreditation of Hospitals (JCAH). Every year, our team found that policy deviations varied from trivial to egregious (or close to it). I suspect things are pretty much the same today as they were back then. I plan to contact the facilities in which the shadowing programs I studied are housed and find out about their assessment programs. Back in the ‘70s when I made site visits, the focus of organizations that did assessments of government-funded programs was disproportionately on policies with little attention to practice. Regarding the experiences I described in the last paragraph, I don’t know if the behaviors I reported were or were not consistent with the policies of the facilities involved. In 2015, I learned of an event that transpired in one facility that, in spite of violating norms of common decency and, possibly, legal precepts, seemed to be considered within the boundaries of care standards by facility officials. During an interview with a mother, she told me that her 15-year-old son had recently visited a physician for a physical. As he sat in the examination room with only his underpants on, the physician walked in with a shadow; a young lady the boy knew. She was a senior in the high school he attended. He was so flabbergasted and surprised that he was at a loss for words. The doctor pulled his pants down and examined him as the girl watched. All this occurred without his or his mother’s consent. The boy refused to return to school and had to undergo counseling. The mother filed a complaint with the facility and was told that neither its policies nor HIPAA standards were violated. According to the mother, she had started the process of seeking justice for her son through the courts against the girl (who was 18), the physician, the healthcare facility, and the school (which probably had an agreement with the facility). I was skeptical about the facility’s claim that HIPAA allegedly permitted shadowing programs that allowed teenagers to observe patients without prior consent, but didn’t investigate the claim until 2017 when I had an opportunity to file my own complaint against a facility. My complaint was two-fold: 1) The physician permitted an 18-year-old shadow,* who was not connected to any bona fide healthcare training or education program, into an examination room that I occupied without prior consent and 2) the physician failed to fully describe the educational/training status of the shadow. Regarding the latter, the physician introduced the shadow only as "a student." I reasonably believed he was a medical student, but his youthful looks gave me pause. I did a little probing and found out he was a college freshman; was no more interested in becoming a healthcare provider than in pursuing a vocation in a number of other areas; and was, by his own admission, shadowing “because I am curious.” I filed a complaint with HIPAA only after the facility’s compliance officer defended the practices described and then refused to reply to my follow-up letter. HIPAA’s regional manager responded thusly: “As far as the Privacy rule’s ‘minimum necessary requirements’ are concerned … covered entities are free to design their own policies and procedures surrounding access to patients’ PHI by the latter [45 C.F.R. 164.501]… A student shadowing a physician falls under the definition of ‘health care operations,’ in the HIPAA Privacy Rule and is permitted; A health care provider (e.g., a physician) is not required to obtain a patient’s consent prior to having a student/intern shadow him/her; [having obtained the complainant’s permission [would have been] a courtesy [but not a requirement]… As a result, OCR finds that there was no violation of the HIPAA Privacy Rule. OCR finds [the facility and the physician] in compliance with the HIPAA Privacy Rule and is closing this complaint.” Although the regional manager did not address my complaint regarding the physician’s failure to fully disclose the shadow’s status, he did recognize its existence. Apparently, this omission is not a concern addressed in HIPAA or of concern to HIPAA authorities in spite of the fact that shadowing programs per se are not addressed by HIPAA but are of interest to HIPAA authorities. Although I can make a cogent argument that putting patients on display for the benefit of others is, in and of itself, ethically questionable, I did not suggest that shadowing is unethical when I asserted, “No reasonable person, especially one with an ethical eye, would conclude that HIPAA's conceptualization of "healthcare operations" includes programs for teenage shadows.” According to the regional manager with whom I communicated, “A student shadowing a physician falls under the definition of ‘health care operations,’ in the HIPAA Privacy Rule. Under this provision, health care providers are permitted to (a) ‘conduct training programs in which students, trainees, or other practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers; and (b) the program is specifically designed to: review the competence or qualifications of health care professionals; evaluate practitioner and provider performance; train non-health care professionals; and to assess accreditation, certification, licensing, or credentialing activities’ [l45 C.F.R. 164.501].” That is the conceptualization to which I am referring. Where does an 18-year-old college student who is, by his own admission, not involved in any bona fide healthcare training/education program, is no more committed to becoming a healthcare provider than he is in pursuing a vocation in a number of other areas, and shadows to satiate his curiosity fit in the conceptualization? This question elicited no answer by HIPAA authorities. However, as I suggested in an earlier post, independent analysis conducted by AHIMA answered my question in the same way I did – “Nowhere!” What some laypeople I have interviewed find chilling is that HIPAA authorities’ defense for not getting consent is that HIPAA would allow shadows to, without prior consent of patients or their legal reps, intrude on patients’ privacy in their most vulnerable moments including during intrusive preps for surgery, during surgeries, and while they are anesthetized or otherwise unconscious. Essentially, as interpreted by HIPAA authorities, what my best friend cannot do without my consent (e.g., join me in an examination room), their children can do without my consent as long as they get a qualified provider to serve as a preceptor and conform to certain criteria specified by HIPAA including, among other things, signing a HIPAA confidentiality form. * All the online programs I reviewed required shadows to be 18 or older. I was told that 18 was the cutoff primarily because at 18, parents did not have to be involved in the process. By contrast, Nancy Davis (director of privacy at Ministry Health Care and co-chair of the AHIMA 2006 Privacy and Security Practice Council) writes, “More often than not, job shadowing participants are middle and high school students . . .” (2006. “Job Shadowing and the HIPAA Privacy Rule.” Journal of AHIMA. 77(8): 69, 71). I am familiar with several facilities, some connected to hospitals, that have shadowing programs that include shadows under 18. I had an experience in one healthcare facility that had (and may still have) a day-program which included shadows who were elementary school children. I found this out during a visit to a physician. I walked into the examination room and, without my consent, was followed by a nurse and her 8-year-old daughter. They didn’t leave when the doctor entered and closed the door. I found out the little girl was given a school project to follow one of her parents at work and report back to the school what she learned, thereby risking a HIPAA no-no.

I will respond to your post a bit at a time beginning with your last question. I have been conducting research using a technique called triangulation which involves, in my case, the use of both quantitative and qualitative methods to identify patterns of patient-provider interactions. This requires studying HIPAA because some of its rules articulate how providers must or must not interact with patients. As one would suspect, there is some degree of disparity between the ideal (rules designed to guide interactions) and the real (violations of those rules). The “convictions” of and fines imposed on violators by HIPAA authorities constitute evidence of the official deviations from those rules. These “official statistics” are analogous to the data collected by the FBI and published in the Uniform Crime Reports. Criminologists speak of the “dark figures of crime” which refers to crimes unknown to the police. They are analogous to breaches of HIPAA unknown to HIPAA authorities; we can call them the “dark figures of HIPAA violations.” One of my tasks as a researcher is to uncover or expose these “dark figures.” One research method I use is a qualitative one called participant observation. Formally, I play the role of a participant as observer; I am an actual patient who observes the interactions that take place between other patients and providers and make note of how providers interact with me. Just as actors vary their roles from one play to another, I vary the roles I play when I interact with providers. But unlike actors, I vary these roles at random. When I detect a breach of etiquette or ethics I sometimes behave in a way expected of a patient (e.g., compliant and agreeable – I say nothing and pretend I hear and see nothing out of the ordinary) and at other times I deviate from the role of the ideal patient (e.g., contrary and confrontational). In each case I observe and note the providers’ reactions and when I have sufficient data, I search for patterns in these reactions. Social psychologists may recognize this approach as being a modified ethnomethodological study called a breaching experiment. To your question, “Have you had a personal experience that didn’t seem right?” my answer to your question is, as a participant observer and before I was a participant observer, I observed and experienced many breaches of social norms (folkways, mores, and laws) in which providers engaged. None of these breaches, as far as I know, constituted a violation of HIPAA. I already wrote about one of these breaches. It was published in this blog on November 26, 2020.

"A health care provider may utilize the services of a contract film crew to produce training videos or public relations materials on the provider’s behalf if certain protections are in place. If patients are to be identified by the provider and interviewed by a film crew, or if PHI might be accessible during filming or otherwise disclosed, the provider must enter into a HIPAA business associate agreement with the film crew acting as a business associate. Among other requirements, the business associate agreement must ensure that the film crew will safeguard the PHI it obtains, only use or disclose the PHI for the purposes provided in the agreement, and return or destroy any PHI after the work for the health care provider has been completed. See 45 C.F.R. 164.504(e)(2). As a business associate, the film crew must comply with the HIPAA Security Rule and a number of provisions in the Privacy Rule, including the Rule’s restrictions on the use and disclosure of PHI. In addition, authorizations from patients whose PHI is included in any materials would be required before such materials are posted online, printed in brochures for the public, or otherwise publicly disseminated." This quotation can be found here: "Can health care providers invite or arrange for members of the media, including film crews, to enter treatment areas of their facilities without prior written authorization?" https://www.hhs.gov/HIPAA/for-professionals/faq/2023/film-and-media/index.html No reasonable person, especially one with an ethical eye, would conclude that HIPAA's conceptualization of "healthcare operations" includes programs for teenage shadows. After a reasoned analysis of this conceptualization, The AHIMA Privacy and Security Practice Council concluded, "[J]ob shadowing experiences that involve patient or PHI exposure are not part of a [covered entity's] healthcare operations and cannot be permitted without the authorization of each involved patient or individual." (Journal of AHIMA, "Job Shadowing and the HIPAA Privacy Rule," pp. 69, 71) Among the consequences of HIPAA authorities' inclusion of shadowing programs beneath the rubric of "healthcare operations" have been egregious violations of patients' rights to privacy and dignity that may rise to the level of torts. Furthermore, a careful reading of HIPAA's conceptualization of "business associate" would not lead a thoughtful reader to include commercial film organizations in a list of business associates. My efforts to find out how HIPAA authorities are able to reconcile including shadowing programs as "healthcare operations" and commercial film crews as "business associates" with principles of healthcare ethics and HIPAA's mandate to protect patients' privacy have been in vain.

A survey I have done suggests that few healthcare providers are aware of what HIPAA authorities (as distinct from HIPAA itself) do permit. For example, according to one of the Office of Civil Rights' regional managers, all shadowing programs run by "covered entities" are classified beneath the rubric "health care operations" (45 C.F.R 164 164.501) and as such are exempt from obtaining the prior consent of patients before permitting shadows (no matter their age, educational status, or purpose) to have access to patient's "protected health information" (PHI) and observe exchanges between providers and patients. The regional manager labels prior consent as a mere "courtesy" rather than an element of patients' right to privacy, dignity, or autonomy. HIPAA authorities also allow "covered entities" to categorize commercial film organizations (e.g., CBS, ABC, NBC) as "business associates." As "business associates," members of these organization's film crews have free rein to access ER patients' PHI and to observe or film them as they are stripped naked and catheterized if they are believed to be unable to give consent and there is nobody present who has the authority to represent their interests (usually a family member). However, these companies must obtain consent from patients (or, if they are unable to give consent, their representatives) before broadcasting what they film.

I assume, maybe incorrectly, that by “wrong” you don’t mean morally or ethically wrong. In context, the only other interpretive option is that by wrong you mean that “the individual” was incorrect when he wrote, “I see no evidence …”; that he, in fact, did see “evidence that …” Or maybe you simply intended to reiterate your sorrow “that you [TheMoon] feel the need to categorize people by the color of their skin” rather than accept the implicit challenge made by the “other person” that you provide evidence that TheMoon feels “the need to categorize people ...” An acceptance of this challenge would require either a clear articulation of what you mean by “need” or, at the very least, a clear articulation of TheMoon’s words from which your understanding of the word “need” can be inferred. After all, yours is a curious use of “need” which, when applied to human beings, suggests something that is essential to their physical (e.g. biological), psychological, and/or social well-being as Abraham Maslow does in his “hierarchy of needs.” Knowledge of what constitutes a human need, along with the response of the “other person” should help answer your question, “I don’t know what good that [categorizing “people by the color of their skin”] does but I’m asking if you have some reason?”

It seems to me that the best place to begin a discussion of racism is to define and conceptualize it. In my experience, this occurs only in academe. Outside of the academy – in blogs such as this one, in the media, in casual conversations, etc. – people are likely to talk past each other if they have different understandings of what racism entails and don’t make these understandings known to each other. For example, some people understand racism in the way it used to be defined in Webster – a belief that the members of some racial groups are genetically and culturally inferior or superior to other racial groups. Using this definition, a person could reasonably claim that racism in the U.S. is relatively rare. By contrast, another person might reasonably argue that racism is as American as apple pie or at least one of the central values of the American way of life based on the definition of racism as a belief, attitude (e.g., prejudice), behavior (e.g., individual discrimination), or institutional practice (e.g., institutional discrimination) that favors one racial/ethnic group over another. When two people get together to discuss a controversial phenomenon such as racism, the discussion is highly likely to go nowhere or be counterproductive if neither party knows how the other party defines concepts relevant to the discussion.

You are correct; racism is a construct. So too is race. More precisely, race and racism are social and theoretical constructs.

I see no evidence that TheMoonisMyLantern feels “the need to categorize people by the color of their skin.” People in the U.S. and most other countries tend to be socialized early in life to distinguish between individuals who are members of different racial categories to the point that it is done without deliberation. To what end? Those who believe that “racism should stop” can only recognize that racism exists if, among other things, they distinguish between members of different races. Similarly, the only way they can know whether or not racism has stopped (increased, decreased, or remained the same over time and across geographic locations) is if, among other things, they distinguish between members of different races.

One does not have to look too hard to find historical accounts of Black American experiences during Black History Month. I find that writings about American Indians seem to increase in November (American Indian and Alaska Native Heritage Month), Asian Americans in May (Asian American and Pacific Islander Heritage Month), and Hispanic Americans between September 15 and October 15 (National Hispanic Heritage Month). Seems apropos to me.

Students have practiced on me a number of times over the years. I always believed that by volunteering my time and veins to help them learn, I was providing them with a service. Yet, although one supervisor thanked me for my service, I was granted no such courtesy by any student?

I suspect that if the patient in the cartoon filed a complaint with HIPAA authorities, they would classify the apparent HIPAA breach as "incidental" and take no action. This is what happened to me. I was in an ER cubicle awaiting a diagnosis. There were no patients there when I came in. After about 1/2 hour two young ladies entered with a physician. The physician guided them to a cubicle, catty-corner from the one I was in, and began right off asking one of them personal questions about her sex life. It wasn't long before I knew her name, where she lived, that she last had sex with her boyfriend the weekend before, that she did not use contraception, etc. I phoned HIPAA and reported what I had heard and was told that what I thought would be considered a HIPAA breach was, in fact, "incidental" and no action would be taken.