Attention: Restrictions on use of AUA, AUAER, and UCF content in third party applications, including artificial intelligence technologies, such as large language models and generative AI.
You are prohibited from using or uploading content you accessed through this website into external applications, bots, software, or websites, including those using artificial intelligence technologies and infrastructure, including deep learning, machine learning and large language models and generative AI.

AUA ADVOCACY Converging Paths: Common Ground in Surgery and Law Through Privacy Policy

By: Kate Dwyer, MD, JD, Vanderbilt University Medical Center, Nashville, Tennessee | Posted on: 18 Jun 2024

Technological innovations are an inherent feature of the urologic operating room. Over the last 20 years, cases that were once done open have become routinely robotic. Minimally invasive techniques and miniaturization of instruments have revolutionized kidney stone disease,1 and methods like cryotherapy and high-intensity focused ultrasound have moved into the oncologic space.2 Among the many advances, we are seeing increasing popularity of video and audio recording in the operating room.3 Some institutions have started to adopt comprehensive monitoring in the form of black box technology that integrates performance metrics.4

In the background of our clinical practices, laws and policies shape our experience with and access to these technologies. For example, the US Food and Drug Administration approves device design and safety, the Federal Trade Commission regulates advertising, and the Department of Health and Human Services sets protections for patient access and privacy. In the case of surgical recording, many unresolved issues lie in privacy law. We are collecting swaths of surgical data which have the potential to be used for teaching, research, and quality improvement. Thoughtful and responsible use of this technology requires special attention to patient protections and data security.

The goal is to strike a balance that creates appropriate caution without stifling progress. As novel questions arise, regulations will inevitably follow. Our voices as surgeons will play an important role to mold those protections for optimal benefit to patients’ rights and privacy as well as research and innovation. Recognition of changing landscapes in privacy law can allow us to take an active role and share experiences from both the provider and patient perspectives.

The US Legal Landscape

In the US, the Department of Health and Human Services regulates privacy through the Health Insurance Portability and Accountability Act (HIPAA).5 This statutory law was passed in 1996, intending to specifically address and promote safe use of electronic health information.6 It has limited application to health care organizations as “covered entities” and collaborating partners as “business associates.”7

Within HIPAA, the Privacy Rule limits use of personal information and sets time periods for the data to be maintained.6 It grants patients the right to request accounting of disclosures, in other words, information regarding with whom their information is shared. The Security Rule requires implementation of safeguards against breaches, both physical and electronic.8 It also grants a right to patients to have access to their medical information in a “designated record set.”9 In 2009, HIPAA was modified by the Health Information Technology for Economic and Clinical Health Act which allows the record sets to be in digital form and enhances penalties, holding business associates directly accountable.10 When health care information is released outside of internal use, HIPAA requires a formal written authorization from the patient. HIPAA authorizations have express requirements such as a description of what is being disclosed and an expiration date, allowing patients to have greater awareness and control over their information.6

Federal statutory law is only one medium of protections. HIPAA works in tandem with state privacy protections. Where state laws provide “more stringent” protections to patients, such as private causes of action or additional consent requirements, the state laws take control. Beyond changes written into legislation, we often see effects of interpretation by executive branch agencies and courts, which whittle the law into nuanced applications. The Joint Commission, hospital policies, and professional societies can also elaborate ethical considerations above the legal requirements.

The Continued Introduction of New Technologies Will Challenge the Reach of Privacy Law

Despite this web of protections, there are loopholes. HIPAA does not consider anonymized data to fall into the medical record or require patient consent,11 including unidentifiable operative videos such as laparoscopic or robotic footage. HIPAA also does not apply to information that is collected purely for quality improvement rather than individual patient care.12 This means that large repositories of video can be maintained if all 18 HIPAA identifiers have been removed. In practice, we frequently see anonymized operative videos on social media and there have been efforts to share surgical videos as part of training. Interestingly, HIPAA de-identification rules may not sufficiently address risk of re-identification specifically in the setting of big databases and the advent of artificial intelligence.

Because HIPAA does not cover these uses, they do not fall into the designated record set that patients can request. In 2015 and 2017, Wisconsin introduced a bill that would provide a more stringent state standard, allowing patients to both request that a surgery be recorded and then requiring that it be stored in the medical record.13 However, to date no other states have passed a similar law.

Another area of rapid change lies with entities that have historically fallen outside of HIPAA’s reach. For example, device companies were previously exempt for interactions with patients that occur outside of the business associate relationship. However, 15 states have now passed consumer privacy laws that expand protections outside of the health care space.14

The Surgeon Perspective Is Essential to Development of the Law

Surgical recording is just one example of a technological advancement that will spur expanded regulation. To yield an optimal result, legislators will need to consider all stakeholders and understand the incentives that are created. Researchers have begun to raise important questions.3 If surgical recording is not mandatory, who is more likely to have their surgery recorded? Will lower resourced hospital systems have the technology to encrypt and store data? If patients are granted rights to see their surgeries, will we face questions of privacy for surgeons and operating room staff? Surgeons bring a unique perspective that can inform policy changes. By engaging in the development of new policies at all levels—federal, state, and professional societies—we can work to find solutions that both protect patients and optimize the power of these new technologies.

  1. Wason SE, Monfared S, Ionson A, Klett DE, Leslie SW. Ureteroscopy. In: StatPearls. StatPearls Publishing; 2024. Accessed May 21, 2024. https://www.ncbi.nlm.nih.gov/books/NBK560556
  2. Ahmed HU, Moore C, Emberton M. Minimally-invasive technologies in uro-oncology: the role of cryotherapy, HIFU and photodynamic therapy in whole gland and focal therapy of localised prostate cancer. Surg Oncol. 2009;18(3): 219-232. doi:10.1016/j.suronc.2009.02.002
  3. Langerman A, Hammack-Aviran C, Glenn Cohen I, et al. Navigating a path toward routine recording in the operating room. Ann Surg. 2023;278(3):e474-e475. doi:10.1097/SLA.0000000000005906
  4. Peregrin T. Black box technology shines light on improving OR safety, efficiency. American College of Surgeons. Accessed May 21, 2024. www.facs.org/for-medical-professionals/news-publications/news-and-articles/bulletin/2023/july-2023-volume-108-issue-7/black-box-technology-shines-light-on-improving-or-safety-efficiency.
  5. Health Insurance Portability and Accountability Act of 1996, Pub L No. 104, 191.
  6. Summary of the HIPAA Privacy Rule. US Department of Health and Human Services. October 19, 2022. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
  7. Covered Entities and Business Associates. US Department of Health and Human Services. June 16, 2017. https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
  8. Summary of the HIPAA Security Rule. US Department of Health and Human Services. October 19, 2022. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
  9. Individuals’ Right Under HIPAA to Access Their Health Information 45 CFR § 164.524. US Department of Health and Human Services. Reviewed January 5, 2024. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
  10. Health Information Technology for Economic and Clinical Health Act of 2009. Pub L No. 111-5, 123 Stat 226.
  11. Guidance Regarding Methods for De-identification of Protected Health Information in Accordance With the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Office for Civil Rights, DHHS. October 25, 2022. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
  12. Uses and Disclosures for Treatment, Payment, and Health Care Operations. Office for Civil Rights, DHHS. July 26, 2013. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html
  13. Assembly Bill 863. Wisconsin State Legislature. March 2018. https://docs.legis.wisconsin.gov/2017/proposals/ab863
  14. 2023 Consumer Data Privacy Legislation. National Conference of State Legislatures. September 28, 2023. https://www.ncsl.org/technology-and-communication/2023-consumer-data-privacy-legislation

advertisement

advertisement