Privacy Concerns with Health Care Providers’ Use of Personal Devices for Medical Images
By: Deirdre Sullivan
Last year I had to go to urgent care for a second degree burn on my chest after spilling boiling hot tea on myself. I was surprised when the provider took a photo of my burn, in a relatively sensitive area, with her own cell phone to upload to the medical file. Seeing my surprise, she assured me that this was through a secure application and the photo of my chest was not actually stored on her phone.
The following week, my primary care provider did the same thing to continue tracking the burn’s progress. I also expressed the same concerns, and she went further by showing me that the photo was not stored on her camera roll.
While I trusted these two female providers, I was still skeptical and imagined all the ways that this could go wrong for a patient. The practice of using personal devices for imaging is ripe for abuse, and this blog post will explore potential harms to patients as well as liability for health care providers.
Patients have a reasonable expectation of privacy in their images not being shared past what is necessary to provide care, and it is without dispute that the practice of using personal devices to photograph patients violates this. There is a tension here between what is best for the privacy interests of the patient being photographed, and the business needs of the healthcare entity in reducing the cost of having devices on hand for providers while also increasing access to devices for taking pictures to document injuries in the medical file or for sharing with other providers for consult.
First, there are two different possibilities for how the image could be captured and stored on a provider’s cell phone. The provider could directly take the image without the use of a secure app to store on their phone for purposes of a consult with another provider, or the provider could deceptively take an image under the guise of just using a secure app and then hide it from their patient. This could easily happen by a provider switching between a secure healthcare app and their own camera app to take a photo, and then hiding that from the patient by showing them the last photo from an album, rather than the last photo of their camera roll. Or even a provider taking a screenshot of a sensitive photo on the secure app.
In either scenario it would be extremely difficult for the patient to catch the violation of their privacy. Most often these photos are not of faces, making it difficult to identify and track once the photo makes it off the provider’s phone either by intentional sharing, or the phone being stolen or hacked. Further, patients are at a disadvantage and may not know to worry about improper photos being taken or that sensitive photos are stored on their provider’s phone and distributed to other persons.
Potential Business Liability
Breach under HIPAA?
Most photos of patients are covered under HIPAA’s privacy rule.[1] While photos may be disclosed for treatment purposes[2] (such as consults,) a release form must be signed by the patient to authorize other disclosures of their images.[3] Further, images “taken by a member of a Covered Entity’s workforce without the authorization of the patient and/or for a use or disclosure not permitted by the Privacy Rule” count as reportable breaches that may be investigated by the Office of Civil Rights (OCR.)[4]
Unfair Acts and Deceptive Practices (UDAP)
The FTC has power from Section 5 of the FTC Act to bring actions against businesses who employ unfair or deceptive acts and practices.[5] The FTC has defined an unfair act or practice as one that “causes or is likely to cause substantial injury to consumers, cannot be reasonably avoided by consumers, and is not outweighed by countervailing benefits to consumers or competition.”[6] It is likely that either an intentional or unintentional disclosure of an image would constitute an unfair act that a patient would not be able to avoid, and thus would open up health care entities to possible enforcement actions from the FTC, OCR, or from state attorneys general and consumers on the basis of state UDAP statutes that mirror the FTC Act.
State Nonconsensual Photography Statutes
Nonconsensual photography has been prohibited by most U.S. states following an increase in bad actors posting sensitive images on websites.[7] It is likely that sensitive medical images improperly taken by a provider using a personal device could end up on these sites. For example, Maine’s statute criminalizes identifiable nude images being disclosed or published when the person has not consented to the dissemination, display, or publication of the image.[8] The “identifiable” portion of the statute piece may be a hurdle to the patient, but this will vary by each case.
Patients may also be able to recover under the tort theory of “public disclosure of private facts,” though this hinges on whether the image is publicized.[9] Another tort cause of action may be “intrusion upon seclusion,” which does not have a publication requirement but instead hinges on high offesnivess to a reasonable person.[10] Patients may also be further protected by state confidentiality laws that create liability for providers who unlawfully disclose patient information.[11]
Potential Solutions
While there are potential paths to recovery and regulatory enforcement actions against healthcare entities, patients are still at an extreme disadvantage in discovering and preventing photographic privacy violations. Accordingly, healthcare providers should focus on prevention. Possibilities include screening providers’ personal phones, but this just opens a whole other can of worms regarding issues of employee privacy and surveillance. Healthcare entities, as many have done already, could mandate that images be taken and shared by secure apps only and ban texting, but this still has flaws. The provider could still ask for another photo or take a screenshot on the app. Another possibility is that these secure apps could be designed to trigger a warning to the health care entity if a provider leaves the app quickly to go to their camera app.
Ideally, health care entities should ban the use of personal devices to photograph patients. Instead of providers using their personal phones, providers could purchase used cell phones and have them available on emergency floors and other high use areas. Another low-cost option might be smart cameras that integrate with the health care entity’s record keeping system. These solutions would strike a balance between lowering business costs and providing the best care to patients by allowing for easy consults and tracking of injuries while still protecting the privacy of patients.
Sources
[1] See 45 C.F.R. § 164.500(a).
[2] 45 C.F.R §164.506.
[3] 45 C.F.R. § 164.508.
[4] Steve Alder, What are the HIPAA Photography Rules?, The HIPAA Journal (Oct. 25, 2023), https://www.hipaajournal.com/hipaa-photography-rules/#:~:text=In%20such%20circumstances%2C%20the%20impermissible,HHS’%20Office%20for%20Civil%20Rights; 45 C.F.R. § 164.402 (A breach is defined as the “acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the protected health information.”).
[5] See F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236, 240 (3rd Cir. 2015); Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False, FTC (May 8, 2014), https://www.ftc.gov/news-events/news/press-releases/2014/05/snapchat-settles-ftc-charges-promises-disappearing-messages-were-false.
[6] 15 U.S.C. § 45(n).
[7] See generally Shelbie M. Mora, Revenge Porn: The Result of a Lack of Privacy in an Internet-Based Society, 1 Student J. Info. Priv. L. 78, 78-79 (2023).
[8] Me. Rev. Stat. Ann. tit. 17-A, §511-A(1) (2015).
[9] Restatement (Second) of Torts § 652D (Am. L. Inst. 1977).
[10] Restatement (Second) of Torts § 652B (Am. L. Inst. 1977).
[11] See Me. Rev. Stat. Ann. tit. 22, §1711-C (1999).