Pokémon Go – Staying Ahead of Game and Avoiding Unexpected HIPAA Risks
It was inevitable – Pokémon Go fever has swept the nation, and now little cartoon creatures have found their way into your health care facility.
Yes, you read that right, those pesky (or beloved, depending on your point of view) creatures are popping up literally everywhere, and unfortunately hospitals and other health care facilities are no exception. As a result, in addition to keeping up with the various advances in mobile technology related to health care and patient management, health care facilities across the country must now add keeping up with virtual and augmented reality to their to-do lists.
So why should this matter to your health care facility?
Currently, industry trends suggest that hospitals and other health care facilities are taking two divergent views when it comes to this new frontier – (a) asking to be taken off the “map” (i.e., having Pokémon removed from their property), or (b) embracing the game, as it motivates the young (and old) to be active. While the latter could be tempting – and for some facilities with proper controls it could be successful – for most, we recommend taking whatever steps possible to prohibit game play within your health care facility.
Regardless of the road taken by your facility, there are a few key considerations to keep in mind when evaluating potential HIPAA risks related to virtual and augmented reality games, which are only likely to grow substantially in number in the future.
How do Pokémon Go and augmented reality games work?
On first glance, this specific game (which is fairly primitive as augmented reality) doesn’t appear problematic from a HIPAA perspective. However, there are some hidden risks. The Pokémon game’s functionality allows for a user to switch between a virtual map and camera mode which literally shows the Pokémon in the world around the player. The images seen on the player’s phone do not appear to be saved or shared automatically – however, the mobile application does offer the option of letting you take a photo of what you see from within the app. In a world dominated by social media, this is where the problem arises.
Pokémon Go and other augmented realty games allow a player to engage in a virtual game which takes place in the real world around them. Pokémon Go players are motivated to take photos of their surroundings and share them with third parties and on social media. In a health care environment, this could easily result in a player – whether patient, employee or third-party gamesman – inadvertently sharing protected health information (PHI) with all of his or her followers in as little as four clicks from taking a screenshot.
Many hospitals are already dealing with the unintended consequences of individuals playing Pokémon Go and wandering into areas containing sensitive information. Even if photographs are not taken, the mere presence of individuals who are only on premises for the purpose of playing a game heightens potential information privacy and security risks.
What is this picture worth?
Hospitals have learned the hard way the high cost of a HIPAA violation. In April of this year the Department of Health and Human Services, Office for Civil Rights (OCR) reached a $2.2 Million settlement with New York Presbyterian Hospital for the filming of “NY Med” on the premises, which resulted in the unauthorized sharing of two patients’ images. OCR also determined that the hospital failed to safeguard health information when it offered the film crew access to an environment where PHI could not be effectively protected.
OCR is likely to follow the same logic in the context of augmented reality games and the potential exposure of PHI to unauthorized parties. Having Pokémon Go players on hospital premises – including patients, visitors, employees and, most especially, those present solely for the purpose of playing the game – could lead to unnecessary HIPAA risks.
Best practices for Pokémon Go and its successors:
Take yourself off the “map,” but remember this is not where the story ends: To alleviate the a number of risks, you can, of course, submit an online request to Niantic Labs – the creator of Pokémon Go – to be removed as an in-game location. However, this step alone will not be sufficient to end all possible risks related to Pokémon Go, and the universe of augmented realty that could pop up next. It is also notable the removal process to be a stop has proven lengthy, therefore it would be advisable to also take additional steps regarding your stance on Pokémon Go and augmented realty games. To speed up the process, consider writing a formal demand – above and beyond the online system – to have your coordinates removed from game play.
Determine your stance on patient play: Aside from hospital policies on visitor and patient cell phone use, determine if your establishment wants to promote patient use of Pokémon Go. Many facilities are finding Pokémon Go to be a valuable tool in promoting exercise and activity – especially post procedures. If your hospital wants to take that approach – consider limited play to “Pokémon Zones” where PHI is less accessible and adequately protected. However, keep in mind that significant risks remain related to permitted access to PHI to unauthorized individuals.
Determine if health care providers and hospital staff should be prohibited from playing: Reevaluate your social media and bring-your-own-device policies to determine if augmented reality games such as Pokémon Go need to be specifically addressed. The player base of Pokémon Go appears to be growing exponentially, and it is highly unlikely that facilities’ employees are not among those playing or considering playing. While taking photographs is often prohibited in hospital settings, make sure the policy is clear that the prohibition applies to photos in the augmented reality space. Take the opportunity to clarify and reiterate acceptable social media practices. Also, if your hospital is creating “Pokémon Zones,” stress to health care providers and staff that this applies to them as well.
While Pokémon Go took over the scene almost literally overnight, this is just a glimpse of what the future holds. As augmented reality mobile applications and games become even more popular, and more immersive, these issues are bound to come up again and reinvent themselves in the form of new challenges. Now is the time to determine your organization’s policy on augmented reality and revisit social media and BYOD policies. Pokémon Go may or may not be here to stay – but it is definitely not one of a kind.