practice management

Can I Record This Visit? How to Protect Patient Data Online and Off

If your practice allows visits to be recorded by caregivers, could the recordings or photos taken at your practice prompt online discord, or even a malpractice suit? According to the AAP, state laws apply when it comes to recording visits. Whether you’re all for recording a visit or you’re more wary of the idea, there are ways to protect your patients’ privacy as well as your practice’s reputation -- even when things like others’ social media accounts seem out of your control.

Is making a recording of a visit allowed?

If a parent takes out a smartphone and begins to record a video during their child’s visit, under federal law it is legal to do so, even without the staff member or physician’s consent or knowledge. However, as the AAP has stated, stricter laws in some states supersede this federal requirement, and while some states only require one party to consent, others require all parties to the conversation to consent.

Fortunately for your practice, depending on your practice, both local laws and your practice’s policies can protect your patients, staff, and your professional reputation from recordings that could be shared, edited, or maligned in ways you don’t want. 

Here’s the essential information you should know about visit recordings:

    • Federal law allows 1 consenting party in order to legally record a conversation -- this could mean the parent or caregiver or even the patient could record a conversation, even without the provider’s consent.
    • Your state’s and city’s laws can have more specific and sometimes stricter rules surrounding video and audio recordings of private conversation. Currently, 12 U.S. states require all parties (both the parent and physician, for example) to consent. You can check your state’s requirements here, but it is always worth checking with a lawyer for legal advice.
    • If a parent records a visit of their child which includes protected health information (PHI), the HIPAA Privacy Rule does not apply as the parent is not a covered entity under HIPAA.
  • However, a parent or caregiver may never record images, audio, or video of another patient or their PHI.

These rules and laws mean that in many cases, a caregiver may record their child’s visit, even if the physician or staff member doesn’t consent. Anecdotally, physicians have even discovered parents recording their instructions or the visit surreptitiously, leading some physicians to completely opt out of visit recordings, even as others don’t mind them as long as they’ve given consent. With such differing opinions, it pays to consider the risks and the benefits of recording a visit.

What are the benefits and risks of visit recordings?

Visit recordings can be useful tools for families and practices, and yet there are also certain risks involved when you allow a patient’s healthcare visit to be recorded. Reviewing the pros and cons can help you decide if recordings are a tool you’d rather leave out of your practice’s policies.

As mentioned in the section above, one risk of visit recordings is that a patient’s visit can be recorded implicitly. Regardless of the caregiver’s intentions, discovering the visit is being recorded after the fact can cause discomfort, and a simple misunderstanding could potentially damage the relationship between the staff member or physician and family.

Other risks involve what happens to recordings or photos after the visit is concluded. The recording could be shared online or with other people, and in some cases, the physician or practice could come under fire for contextual or non-contextual events in the recording. Whether someone disagrees with the advice given, the tone it’s given in, or another issue, the practice has very little control over how such recordings are shared or interpreted, making them a difficult and problematic reputational risk.

Still, there are many benefits to the ability to record visits. Recorded visits may help families follow complex directions for the care of their child, a caregiver may share the recording with another caregiver who was unable to be present. Recordings also may help enhance understanding of medical instructions and increase patient satisfaction and provider relationships.

One possible benefit that may occur to you is that recording visits may help facilitate conversations with Limited English proficient speakers (LEPs). However, according to the AAP this is not a preferred method, especially if the translator is a family member or the patient themselves. A qualified interpreter or interpreting service is always the desirable option.

Once you’ve decided which method of visit recording, if any, works for your practice, how should you begin in a way that protects both patient privacy and your practice’s reputation? A good start is always to review your policies about recording visits and even cell phone use in general at your practice. Below are some strategies to get you started.

Protecting PHI and Your Practice’s Online Reputation

Protecting PHI is a duty of healthcare providers under federal laws like HIPAA; it is also an obligation for pediatric practice owners to protect the reputation of their business from misinformation or negativity. To begin protections for your practice, you can update practice policies to fit your local and state law’s requirements for audio and visual recordings. 

Don’t forget! Your legal representatives and insurance carriers are the experts for your practice’s unique location and circumstances. Consult your malpractice carrier, compliance officer, and/or an attorney for questions about local and state laws, HIPAA requirements, and your responsibilities surrounding recorded audio and video at your practice.

Even if you don’t mind allowing recordings of a visit, you can also add stipulations to your policies: for example, that the physicians and staff recorded must give consent, that recordings are reviewed by all parties during the visit, or that no recordings are allowed in public areas such as the reception area.

If a parent records a visit, photo, or other recording and shares it publicly via social media or another communication channel, the AAP recommends that you avoid responding. Is it ever okay to respond to a public conversation about your practice, especially on social media? Visit our previous post, How to Combat Negativity on Social Media, for more information.

Other Ways to Protect Patient Data

While visit recordings are sometimes complicated when it comes to protecting PHI, there are many workflows for your practice to enact into everyday routines and tasks, such as when your practice gains or loses an employee, so that even new or unusual circumstances have built-in patient data protection.

Mobile Devices & Social Media

Mobile devices are a ubiquitous tool for recording and sharing patient data. As previously mentioned, your practice should discourage recording or photos taken in the reception room. Recordings, where allowed, should be performed in a private exam room with the door closed, with no other patients’ data visible. 

Don’t forget -- recordings include photos you should be screening for social media or other use. Be sure patients don’t appear in them without permission. Employees should also adhere to clear expectations for their own device use, including personal and practice-own devices such as laptops and phones. It’s also never a bad time to check on your mobile device security settings and making sure that: your device is updated, you’re using secure WiFi networks, and optionally, you have downloaded security tools such as firewalls, security software, or remote wiping, which can delete information on a device if it is lost or stolen.

While it is possible to use photos, mention cases, and share healthcare information on social media, it is critical to check and double check HIPAA requirements before posting any patient information onto social media, if you decide to do so at all. In one study, “17% of sample posts were found to include enough information for patients to identify themselves or their providers.” It’s also wise to learn the security, privacy, and data settings for the social media accounts you choose to use, so that you have both control and awareness of how your posts are used, recorded, and seen by the public.

Use Your EHR Wisely

Your EHR should be working hard to ensure that appropriate PHI is presented to appropriate users. To do this, your EHR users should each have separate accounts with private, secure passwords. You can set up a workflow that reminds you to make secure accounts for new employees as well as disable or delete previous employee accounts.

PCC EHR users can also tailor user preferences to make sure that users can only access the functions they need to perform their duties, and that users are alerted with relevant information that helps keep patient data safe. For example, you’ll get an alert when a teenage patient is able to speak privately without parents present. PCC’s patient portal offers the same standard of privacy for families.

Safe data practices keep patients’ data secure and are integral to building strong relationships between your patients and their medical home. To learn more about how to keep your cybersecurity up to date, including how to perform a Security Risk Assessment, check out our previous post and get started now.

5 Ways to Strengthen a Healthcare Practice’s Cybersecurity

Allie Squires

Allie Squires is PCC's Marketing Content Writer and editor of The Independent Pediatrician. She holds a master's in Professional Writing from NYU.