Many organizations record surgical procedures performed at their facilities with the intention of using the footage for educational or quality assurance purposes, among other reasons. However, it is important to ensure that such recordings and photographs adhere to the organization's policies regarding patient consent, privacy, and confidentiality, as well as medical record documentation and storage. Because the circumstances may vary, risk managers should carefully consider whether requirements for obtaining a patient's authorization for the use and disclosure of protected health information (PHI) are being met.
The Health Insurance Portability and Accountability Act (HIPAA) does not require patient authorization for the use and disclosure of PHI for healthcare operations such as quality improvement. Likewise, the HIPAA privacy rule does not require a patient's authorization for the use and disclosure of photographs and recordings containing PHI if they are used for training and education provided to staff, physicians, students, and others within the covered entity. In these situations, training and education also fall under HIPAA's definition of healthcare operations. If, however, the images containing PHI will be presented in an educational setting outside the covered entity, such as at a professional society conference or seminar, the patient's authorization for the use and disclosure of the information must be obtained. No authorization is needed if the patient cannot be identified from the images.
However, it is important to note that the Joint Commission requires its accredited hospitals and ambulatory care centers to consider patient privacy and comply with “laws and regulations when making and using recordings, films, or other images of patients” (RI.01.01.01 EP 37). This means that accredited healthcare facilities must comply with applicable laws and regulations (e.g., HIPAA) when recording patients for educational or quality assurance purposes. In addition, healthcare organizations should obtain informed consent from the patient or surrogate before making and using recordings, films, or other images of the patient.
Risk managers should consult with medical staff and legal counsel when drafting policies to make sure that proposed procedures fit within the reality of physicians' needs and comply with relevant federal and state laws and regulations as well as accrediting standards. When policies are in place, educational programs should alert the entire medical and support staff to the policies' existence.
Patient photographs, videos, and other images collected by the healthcare facility, as well as the forms documenting patient consent to have photos or videos taken and patient authorization for the use and disclosure of such recordings, should be part of patients' medical records. Policies should address the following issues related to storage, security, and record retention:
- All photographs, films, videos, and other recordings should be clearly identified with the patient's name, identification number or date of birth, and date that the image or recording was obtained. Facilities must have measures to maintain images that contain PHI in a manner that prevents unauthorized viewing.
- Some hospitals still record on film reels. If bulky recordings such as videotapes are stored separately from the medical record, a note in the medical record should indicate that the recordings exist and identify where they are stored.
- Images with PHI that are collected in an electronic format should be managed in a manner that ensures compliance with HIPAA's security rule for the electronic storage and transmission of PHI.
Learn how ECRI can help you reduce risk, support safety efforts, and achieve better outcomes with our comprehensive approach to safety.