Patient Privacy

iPhones in the Operating Room

Did you know your staff - your wound care team, neurology faculty, your dermatology fellows - are all taking photos of patients on their iPhones?

Photos are becoming an increasingly important part of the care and clinical education progress. Professors are taking videos of a Parkinson's patient's tremor progression to better teach their students. Dermatologist are tracking the growth and change of sun spots. Surgeons are recording new, innovative techniques to show at industry conferences. But are the images they're capturing secure?

Without the right guidance and institutional resources, your organization could be at risk for a very serious privacy breach. Here are three important issues you and your staff should understand before snapping those photos:

iPhone Encryption

Password protection is one of the most basic, important requirements for any employee using their iPhone for professional purposes. Most Apple devices encrypt their contents by default, with varied levels of protection. But to protect against someone stealing and accessing the phone's contents, it should also be encrypted with a unique passphrase or code. Your web, integrity and/or legal teams should all be involved in establishing encryption standards for your organization.

Photo Storage and HIPAA

When staff charge their iPhones at night, oftentimes auto-sync'ing to the cloud, HIPAA has been breached. When the dermatologist emails a photo to their patient or texts it to the lab tech for safekeeping, HIPAA has been breached. Your organization should consider investing in unique, secure devices, used only for clinical purposes and/or approved iPhone applications, like Epic Haiku, for safe image storage and exchange. These newer apps allow staff to send their iPhone photos directly through to a patient's electronic health record (EHR), bypassing storage on the device, itself.


When training teams, I often get asked whether photos and video are OK to take on personal, encrypted devices, as they are de-identified: 

"We put a sheet over the patient's face before we photograph them."

"We cover up any identifying tattoos and moles."

"I make sure protected health information isn't out on my desk, when I take the photo."

Unfortunately, unique identifiers are not limited to the physical elements of the photograph. Other unique identifiers, called meta data, are captured automatically with each iPhone photo or video. Meta data includes information like the date and time the photo was taken, its geographic location, including altitude, latitude, longitude. Your iPhone also automatically tags the make and model of your camera, the image resolution, software used to process the image, and more.

Your operating staff likely does not know (nor should they) how to remove meta tags from individual iPhone photos. But they should know how to encrypt and use their devices appropriately and which devices or applications are approved for clinical documentation use at your company. 

Inappropriate and unsafe device use is one of the most serious issues in health care today. You must invest in comprehensive internal education and clinical resources to protect your patients, your employees and your organization.

Click here to learn more about our internal training services.


Jess Columbo

Principal, Med|Ed Digital

Before you accept that Facebook "friend"

Did you know? Nearly one in four nurses say they've received a Facebook friend request from a patient. The real number is probably closer to 2/3 of your clinical team having received a request to befriend a patient on social media.

Before your employees hit "accept," here are four important integrity and compliance issues to consider:

1. TMI

If your employee's social media privacy settings aren't set up correctly, patients now have access to a great deal of personal information; information that could affect their feelings of trust and safety in the care your employee is providing.

Moreover, staff will see things they may not want or need to know about patients' personal lives. Perhaps the patient reported financial distress, but your employee sees an Instagram photo of a new car. Perhaps the patient reported suffering from a severe mobility issue, but the employee sees them tagged in a recent Triathlon photo.

Is your employee allowed or obligated to report this information to the care team? Could or should this information change the way care is provided?

Some online searching is legal. HR staff can do specific research, when evaluating a new hire, and psychiatry staff may be allowed limited searches, as well. But the slope is very slippery.

2. Violates patient privacy

Imagine: Before socially connecting with your employee, a patient "checked in" on Facebook for their appointment at your clinic. They include a comment about the specific surgery they're feeling anxious about. 

Your employee and this patient become Facebook friends, and your employee "Likes" one of the patient's recent profile photos. One of your employee's existing Facebook friends sees a notification in their newsfeed, indicating that your employee and this patient are now "friends." The friend clicks on the patient's name and is now scrolling through their personal photos and updates.

Oops. Your employee has just disclosed this patient's status on their behalf and without their consent.

3. Encourages inappropriate conversation

The complications of a digital relationship with your patient don't stop with an accepted friend request. A Facebook friendship opens the door for public, traceable conversations that can turn inappropriate quickly.

What if your patient comments on your page about issues they're having with billing or receiving a referral? Are you obligated to respond?

What if they start asking you specific questions related to their care? What if you answer and give them incorrect care instructions?

What if they start posting slanderous remarks about your colleagues? Should you report them to your manager or the union?

4. Mark Zuckerberg owns it all

It's tempting for employees to think that private Facebook messages they send to patients are, in fact, private. However, everything shared on a social media platform is owned by the platform, not you.

When residents exchange patient information via Google docs, they have - albeit unintentionally - breached HIPAA, because that content is now owned by Google. The same principle goes on Facebook and Twitter and LinkedIn.

We know real, important relationships develop between patients and staff during the course of care, but it can be incredibly risky to carry those relationships into the digital space. When you share something on social media, that content is no longer yours; it's not private and it's not protected. 

Be sure your staff understands the serious ethical and legal issues associated with patient digital engagement and establishes clear online boundaries.

Click here to learn more about our custom employee training.