The OB/GYN had secretly photographed 7,000 patients over ten years while conducting pelvic exams. Ten days later he committed suicide. Last month, the hospital agreed to settle the class action lawsuit brought by patients whose privacy had been violated for $190 million.
My advice to health care providers (Covered Entities under HIPAA) in a story in Report on Patient Privacy recognized the fact that there is no way to protect an organization against a determined bad actor, but there are ways to limit the damage.
Photography is clinically appropriate in a wide variety of situations, but given the attention that this case has been getting nationally, Covered Entities would be well-advised to review photography and recording policies and their implementation, explaining these carefully and thoroughly to patients.
Here's an excerpt from the piece with some of my specific advice:
CEs should take care to employ methods that fit “with a broader culture of compliance and patient-centeredness and patient empowerment throughout the institution,” Harlow concludes. “Unless this is done, an institution runs a greater risk of experiencing a local or general breakdown in the realm of patient privacy.”
There has been no announcement to date of an OCR investigation in this matter. As in the case of the recent story about "baby wall" photographs of newborns, some commentators note the photographs are not identifiable as photographs of specific individuals and therefore do not raise HIPAA issues.
The damage done in this case to the trust of thousands of women is likely to be felt for years, as many members of the class -- as well as other women -- are likely to avoid the health care system in the future and therefore to bear a heightened burden of disease.