Q. Do big screens mounted in an operating room (OR) or emergency room (ER) displaying patient data violate the HIPAA security rule regarding work-station use and security standards? So many unauthorized people can view patient data as they walk by these screens. However, they are crucial for treatment purposes.
A. Where feasible, hospitals should angle the screens to allow use by the clinician while minimizing incidental disclosure. For example, an OR is generally a more closed environment. Few individuals other than clinical staff members performing an operation are present to see the screen.
If there is a window that allows passersby to see into the OR, consider repositioning equipment as necessary and angle the screen away from the window. It is more difficult to avoid incidental disclosure when using the screens in an ER. The screens represent a valuable tool in patient care.
Where feasible, try to angle the screens so clinicians can view them while minimizing the exposure of PHI to unauthorized individuals (e.g., family members accompanying patients in the ER). The screens do represent a form of workstation, but the privacy rule merely states that covered entities must minimize incidental disclosures.
This means covered entities may use the screens in the ER despite the risk of incidental disclosures, but only as long as they make every effort to avoid incidental disclosures (e.g., using them only when necessary and positioning them in a way that minimizes incidental disclosures).
Further, password-protect the hardware that controls the screens and keep it locked when unattended. Shut down all PHI displays on the screens unneeded by clinicians. This helps to minimize incidental disclosures by only displaying PHI when necessary for patient care.