What would you do?

If management isn't do anything, you could report it to the bon

JACHO?

Does your company not have a compliance hotline where you can make anonymous complaints?

Your OP says 5 people took a cell phone picture of a patient while awake. Did you mean while asleep? If the patient was awake, would he not have known the people were taking these pictures? There are some instances where taking pictures is appropriate- such as documenting a wound for a chart. Pictures of clinically relevant things are taken in the OR all the time. I'm sure there's a picture of the inside of my brain from 15 years ago in the basement of the hospital where I had my surgery somewhere.

If people were taking pictures without the patient's consent, on their personal phone and the pictures were not relevant to the patient's care, this is likely a violation of HIPAA.

Filing a HIPAA Complaint | HHS.gov

They use to have the hotline and removed that option. Yes 5 people and nothing to do with the case. Strange object in an eye. Just a once in a life time crazy occurance. Most like never see anything like that again. But most patients don't know laws and he was elderly and alone. These were personal cell phones. Nothing to do with education. The pt wasn't even in the OR room yet.

There HAS to be a compliance officer somewhere in your organization. Contact Risk Management if you don't know how to contact the compliance officer.

From: What are the Duties of a HIPAA Compliance Officer

The Healthcare Insurance Portability and Accountability Act requires that a person (or persons) within a Covered Entity or Business Associate is assigned the duties of a HIPAA Compliance Officer. This may be an existing employee or a new position can be created to meet the requirement. It is even possible to outsource the duties of a HIPAA compliance officer on a temporary or permanent basis.

But, what are the duties of a HIPAA Compliance Officer? And how much work is involved? That will depend on the size of the Covered Entity or Business Associate, and the volume of Protected Health Information (PHI) it creates, uses, and maintains. In larger organizations it is often the case that the duties of a HIPAA Compliance Officer are divided between a Privacy Officer and a Security Officer.

A HIPAA Privacy Officer is responsible for developing a HIPAA-compliant privacy program if one does not already exist, or - if a privacy program is already in place - for ensuring privacy policies to protect the integrity of PHI are enforced. He or she will deliver or oversee ongoing employee privacy training, conduct risk assessments and develop HIPAA-compliant procedures where necessary.

A HIPAA Privacy Officer will have to monitor compliance with the privacy program, investigate incidents in which a breach of PHI may have occurred, report breaches as necessary, and ensure patients´ rights in accordance with state and federal laws. In order to fulfil the duties of a HIPAA Privacy Officer, the appointed person will have to keep up-to-date with relevant state and federal laws.

They use to have the hotline and removed that option. Yes 5 people and nothing to do with the case. Strange object in an eye. Just a once in a life time crazy occurance. Most like never see anything like that again. But most patients don't know laws and he was elderly and alone. These were personal cell phones. Nothing to do with education. The pt wasn't even in the OR room yet.

Why does anyone even have their personal cell phone with them in the OR? That's a serious question.

While this would most likely violate facility policies and basic ethical principles, if the photo contained no patient identifiers then it would not be a HIPAA violation.

Your post referenced some sort of sexual assault? or was the reference to him being "violated" a reference to the taking of pictures of his eye?

While this would most likely violate facility policies and basic ethical principles, if the photo contained no patient identifiers then it would not be a HIPAA violation.

Your post referenced some sort of sexual assault? or was the reference to him being "violated" a reference to the taking of pictures of his eye?

Being that the picture was of the patient's face, I think that could be considered a patient identifier, no?

Being that the picture was of the patient's face, I think that could be considered a patient identifier, no?

I was picturing just the eye, not the whole face as being in the picture.

Out of curiosity, what makes you think these individuals are getting away with this (the unauthorized pictures and such) because they know someone? If, indeed, they get away with something because they "know" someone, it makes it much more desirable to go with the anonymous reporting route. I agree with filing something with the compliance officer.