Pokémon Go Could Lead to HUGE HIPAA Fines

Have you heard about the latest craze?  Pokémon Go.

So what is it?  Well, imagine taking cartoon characters and putting them in the middle of the real world as you look through the camera on your cell phone.  Start playing the game and as you “go” the Pokémon characters just appear where you’re at.  You collect them, battle, earn points, etc.  Everything you would expect from a game.

So how does this relate to HIPAA and HUGE FINES?

The issue really isn’t with your patients playing the game.  It has to do with your medical staff playing.  Let me share what could get you in hot water with the Office of Civil Rights, OCR, the group that enforces HIPAA-compliance.

It’s a normal day in the office playing Pokémon Go…

One of your staff is playing Pokémon Go as they are walking along the corridors of your practice or hospital.  Let’s assume they’re on break.  They decide to take a screenshot of the character they just found and post it on their Facebook page or Instagram.  Everyone will be impressed with who they just found.

(Characters shown on screen while walking through a park)

 

What they don’t see is what’s behind the character in the background.  There is a patient who is in a wheelchair waiting in the hall to see a doctor.  There is another patient coming out of a room.  And then on the side of the door is a patient’s medical folder where you can make out their last name.  Seems pretty harmless, except it’s a HIPAA violation.

The full face of the patients as well as the last name are considered PHI, Protected Health Information and the release of the information requires permission.  No permission means you’re in violation and all it’s going to take is someone to see the picture online and report it anonymously to  OCR’s website.  Just imagine what else OCR will find when they come to look at your practice.

Can’t happen?

You might want to talk to Complete P.T., Pool & Land Physical Therapy., of Los Angeles.  Back in 2012, one of their patients complained about having their face on their website without their permission (think picture on Facebook / Instagram).  They filed a complaint with OCR, and 2 years later, the practice owed a $25,000 fine and were under the watchful eye of the government for a year.

Simple mistake with an expensive consequence.

Our recommendation?  Send out a bulletin or memo to your staff informing them of the possible HIPAA violations from “accidentally” releasing Protected Health Information when playing Pokémon Go.  Also, for the safety of the patient’s privacy and the protection of the practice, prohibit playing Pokémon Go on the premises (including the parking lot where they may accidentally capture a license plate).  Also, if you haven’t discussed your social media policy and HIPAA requirements recently, now would be a good time.

Protecting your practice is up to you, but we’re here to help you with your HIPAA Compliance if you need us.

Call today at 336-303-1730 x1002 to discuss your HIPAA-Compliance issues.