Boston Hospital Warns Staff of Privacy Violations with Pokémon Go

This article first appeared July 22, 2016 on the Medicare Compliance Watch website.

by Steven Andrews

Pokémon Go, the most popular mobile game app ever in the U.S., has captured the attention of players of all ages. But it could also be capturing sensitive images and information in hospitals, which could lead to a violation of HIPAA privacy rules.

Employees at Massachusetts General Hospital received an email yesterday reminding them that Pokémon Go may not be used during work or on hospital property.

“The ability for smart phones (sic) to record images and location via the camera and GPS features pose a significant risk to patient privacy and safety,” wrote Steve Taranto, director of human resources, at Massachusetts General Hospital.

In the game, players are tasked with capturing Pokémon, and the game renders the creatures on top of live environments using the device’s camera.

The Department of Health & Human Services (HHS) offers many resources for providers pertaining to mobile device use in hospitals, including videos, FAQs, and downloadable materials. However, most of HHS’ material is aimed at offering guidance on protecting patient records and medical information by securing devices and encrypting data.

While the game could photograph patient records or other protected health information (PHI), simply capturing a patient’s name or face in the image could lead to a violation.

“Just taking a picture is not a violation,” says Chris Apgar, CISSP, CEO and president of Apgar & Associates in Portland, Oregon.

“It only becomes a violation if the photo is posted on social media without patient authorization received first,” he says. “If the employee loses the phone or the phone is stolen, that could become a breach of PHI, though, if the phone is not encrypted.”

Taking photos on hospital property could also be a violation of a facility’s device usage policy for employees.

The game has hospitals concerned for reasons beyond privacy, with several facilities in Utah asking players to be considerate of patient safety, and their own, with some gameplay locations situated near helipads, according to theDaily Herald.

Covenant Healthcare in Michigan, meanwhile, has warned players to avoid using the game on its property, noting the security department and local police have been alerted, according to MLive. Cookeville Regional Medical Center in Tennessee has likewise banned the game from its premises, reports the Herald Citizen, with officials noting that parking is already limited and entering the facility to play could be a safety and privacy risk.