Say it ain’t so! Pokemon Go and HIPAA breaches really? REALLY! Creatures are showing up in offices and hospitals just like everywhere else. The concept of keeping people active and engaged with their surroundings while playing a video game seems like a great idea from a healthcare standpoint. However, if you actually do a risk assessment of it, the game can pose some serious problems.
How is Pokemon a Privacy Risk?
There are two main ways that Pokemon Go and HIPAA breaches can be linked.
- You can turn on your camera and include the surroundings in your game play. You can then take a picture of that game play and share it on social media.
- Your quest to find the Mewtwo, Jigglypuff, or Squirtle causes you to wander wherever the map takes you, regardless of the signs that may tell you not to enter an area where patients are treated.
So, we have people wandering around not paying attention to where they are until they encounter a Squirtle. Then, they battle and film the action overlooking the patient treatment area, waiting room, or screen with a chart on it. The player usually doesn’t notice these things because they are busy playing and not paying attention to their surroundings.
So, what does this mean?
Clearly this shows another reason to pay attention to risks that may seem unimportant until you actually stop and consider the potential for problems. So, you need to run a risk analysis. Risk analysis isn’t always a huge undertaking. In fact, more often than not it is evaluating even the most simplistic of environmental changes.
Evaluating risk can include just one thing but should follow the same steps each time:
- First, document the concepts and ideas you evaluated.
- Then, document the ways that could lead to a change in the CIA of PHI.
- After that, document the level of risk you think it involves.
- Also, document what you plan to do about the risk.
- Finally, document how you will evaluate the risk in the future to confirm there are no changes.
How do you deal with Pokemon Go and HIPAA Breaches?
You can contact Niantic Labs, but it doesn’t seem like that is an easy or quick process. A better option is to create internal policies for your office or clinic. You need to decide whether or not you are going to allow your staff, patients, and visitors to play. A training session for you staff should also take place. Make sure everyone receives training on how and why the new rules came into place. Also, be sure to update your new employee training as well. Publish these policies in easily viewable places for visitors and patients, and have reminders in place for your staff. You can also designate personnel to police/enforce the policies since the people roaming around and playing the game are pretty easy to spot.