Practice Pointers in the Wake of the Johns Hopkins Hospital Privacy Settlement

An OB/GYN at Johns Hopkins was fired last year after a colleague reported her suspicions about a “pen-like device” that was always around his neck, and that turned out to be a camera. He had secretly photographed 7,000 patients over ten years while conducting pelvic exams. Ten days later he committed suicide. Last month, the hospital agreed to settle the class action lawsuit brought by patients whose privacy had been violated for $190 million.

My advice to health care providers (Covered Entities under HIPAA) in a story in Report on Patient Privacy in light of this case recognized the fact that there is no way to protect an organization against a determined bad actor, but there are ways to limit the damage that may be wrought by such an individual. Photography is clinically appropriate in a wide variety of situations, but given the attention that this case has been getting nationally, Covered Entities would be well-advised to review photography and recording policies and their implementation, and be sure to explain them carefully to patients.

Here’s an excerpt from the piece with some of my specific advice:

• Ensure consent is appropriately received. For example,“obtaining informed consent for use of photography or other recording devices should be standard in both the research and treatment contexts. In the research context, institutional review board approval should be required in advance as well. Policies should mandate the documentation of informed consent before any recording may be made.”
• Make it easy to complain. “If there is a strong culture of compliance, generally, in a practice or institution, then reporting of violations or suspected violations of whatever sort, via an anonymous tip line or other mechanism, may be promoted and used.”
• Look beyond policies and procedures. “I don’t care how carefully you have plotted out your privacy and security compliance plan,” Harlow says. “It has to be implemented by the people in your organization, and if they have not bought in to the whole concept and taken the core principles to heart, then the plan can never truly be operationalized.”
• Customize your approach. Make it homegrown, and provide training and education “not just with respect to the ‘shalts’ and ‘shalt nots’ in the privacy rulebook.”
• Foster patient empowerment and “patient-centeredness.” When this is done, “patients speak up immediately if something seems amiss rather than harboring misgivings.”

CEs should take care to employ methods that fit “with a broader culture of compliance and patient-centeredness and patient empowerment throughout the institution,” Harlow concludes. “Unless this is done, an institution runs a greater risk of experiencing a local or general breakdown in the realm of patient privacy.”

There has been no announcement to date of an OCR investigation in this matter. As in the case of the recent story about “baby wall” photographs of newborns, some commentators note that the photographs in question are not identifiable as photographs of specific individuals and therefore do not raise HIPAA issues.

The damage done in this case to the trust of thousands of women is likely to be felt for years, as many members of the class — as well as other women — are likely to avoid the health care system in the future and therefore to bear a heightened burden of disease.