The Potential for Undue Patient Exposure during the Use of Telementoring Technology

Background Surgical telementoring holds great promise for safe and effective patient care and medical education, but recording and streaming audio and video introduces the potential for exposure of patient information. Physicians maintain an ethical responsibility to protect the privacy of patients, and privacy violations may carry significant legal liability. Despite the legal treatment of violations as discrete, methods for quantifying and characterizing the exposure of patient information during procedural recordings are lacking. This study is the first to quantify the potential risk for violation of privacy when using a wearable, telementoring technology capable of video and audio recording during surgical procedures in various locations including the operating room, interventional radiology suite, and the intensive care unit. Methods A head-mounted recording device, Google Glass™, was used to record routine neurosurgical and critical care procedures in a convenience sample of patients. Periods of maximal risk, including the beginning of procedures, were targeted. Recordings were manually coded for discrete instances of exposure of directly identifying information and indirectly identifying information. Results Twenty-two procedures were recorded for a total of 12 hours, during which 807 directly identifiable exposures were found. The overall average rate of exposure was 1.13 exposures per minute. Most exposures were full-face images (90%), names (7%), or phone numbers (3%). Indirectly identifying exposures were found to be tattoos, genitals, and caretaker names. The rate of exposures was found to be lower in the operating room (OR) when compared to the intensive care unit (ICU) or interventional radiology (IR) suite (p = 0.0376). Conclusions High rates of potential privacy violations were discovered and found to be related the location of the procedure. Sterile draping of the face prior to recording, when appropriate, would mitigate most exposure risk, though patient names and unique tattoos may be an underappreciated source of potential exposure. This study establishes the most conservative baseline to compare techniques for preventing exposure of patient information on telementoring or video/audio recording/streaming platforms.


Results
Twenty-two procedures were recorded for a total of 12 hours, during which 807 directly identifiable exposures were found. The overall average rate of exposure was 1.13 exposures per minute. Most exposures were full-face images (90%), names (7%), or phone numbers (3%). Indirectly identifying exposures were found to be tattoos, genitals, and caretaker names. The rate of exposures was found to be lower in the operating room (OR) when compared to the intensive care unit (ICU) or interventional radiology (IR) suite (p = 0.0376).

Conclusions
High rates of potential privacy violations were discovered and found to be related the location of the procedure. Sterile draping of the face prior to recording, when appropriate, would mitigate most exposure risk, though patient names and unique tattoos may be an underappreciated source of potential exposure. This study establishes the most conservative baseline to compare techniques for preventing exposure of patient information on telementoring or video/audio recording/streaming platforms. 1 2 1

Introduction
Intraoperative and perioperative video recording have become a mainstay practice for operative feedback and medical education. Analyses of these recordings provide insight into novel procedures and allow students to critically consider and correct their performance [1,2]. Advances in robotics, recording, and bandwidth technology have facilitated the implementation of telementoring technologies in medical education. Machinery and peripherals such as the da Vinci® allow remote teachers to engage fully with the operation and guide students using telestration in real time [3][4][5][6]. Telementoring technologies are continually becoming more affordable, and implementation can be as simple as putting on a pair of glasses [7,8].
The development of compact telementoring platforms, such as Google Glass™, provides students with tailored feedback and reduces procedural complication risk of teaching students, creating an ethical impetus for these high-fidelity technologies [9]. Telementoring technologies establish an active connection to the procedure, wherein a distant surgeon can guide a trainee as they learn a new procedure or encounter an unexpected emergency [6,[10][11][12]. Telementoring could revise the "see one-do one-teach one" didactic standard, giving students a more refined understanding and an additional means to assess their skill and knowledge [11,13,14].
Telementoring may also benefit practicing physicians by providing a dynamic and effective method of teaching, even when trainers or trainees are at remote locations [9]. Medical education may be more effectively distributed to trainees while allowing attending surgeons to direct more of their time toward their practice [3,12,15]. Learning new surgical procedures is difficult and can be dangerous to patients. Surgeons who are less experienced have a higher frequency of complications [16]. With the use of telementoring, surgeons may be able to use the expertise of a more experienced surgeon in order to safely learn new techniques [10,17]. As a result, telementoring can extend medical education so that students and practicing physicians can receive advice from experts anywhere in the world [14,18]. Furthermore, telemonitoring can help developing nations train practitioners who would otherwise lack the necessary educational resources [7,19].
Telementoring may also empower patients to become knowledgeable consumers who can find expert and experienced care that would otherwise not be geographically accessible [3,4]. As a result, patients may be able to access previously unavailable, quality care. The addition of a mentoring surgeon comforts the patient and provides expert oversight during their procedure [10].
Although telementoring provides a unique and potentially effective platform for medical education, its integration may infringe on important ethical standards [20]. Effective implementation of telementoring requires striking a balance between security and accessibility [8]. Expanding connections to external networks provides a potential route for the loss of private data gathered during telementoring and dissuades patients from consenting to recording [21][22][23][24]. Transmission over unsecure, public networks could result in HIPAA violations by exposing identifiable patient information such as images of a patient's face [25]. In order to understand the potential liability and provide an effective learning platform, it is necessary to determine the propensity for telementoring technology to violate HIPAA standards and patient privacy [4,6]. Such analysis will provide a foundation to create robust directives for liability and licensing for what stands to revolutionize medical education [10,26].
Rates of potential exposure during video recording for the purpose of telementoring or self-study have not been well described. To establish baseline rates and better understand patient privacy, this study attempts to characterize and establish the risk of exposing patient privacy in particularly vulnerable environments, namely around and during the time of surgery or procedures with the use of a point-of-view audio and video recording platform capable of telementoring.

Materials And Methods
A convenience sample of patients were recruited by the principal investigator during the course of routine neurosurgical procedures. The University of Minnesota Institutional Review Board approved this study, and the PI obtained consent for recordings directly from patients. All patients prospectively consented for the study. Recording was continuous and focused on the most exposed portions of longer operations, always including the beginning of procedures when patients were being prepared. Google Glass™ was worn until the procedure/operation ended, the extended battery was depleted, or the use of an intraoperative microscope was required, necessitating removal of the glasses. The videos were stored locally on the Google Glass™ hardware and later transferred to a secure and encrypted hard drive.
The types of exposures and associated risk were divided into several categories as follows.
Identifying variables provide a direct identification of the patient (e.g., name or phone number) and carry the most severe risk of exposure. Intermediate risk quasi-identifiers are variables that help but are not sufficient to uniquely identify the patient (e.g., gender, DOB). Low risk nonidentifying variables do not expose the patient to identification [27]. Non-identifying variables include lab values or potentially sensitive exposures (e.g., pictures of genitalia) [28]. The variables examined in this study were applied to both audio and video as well as quasiidentifiers examined in previous studies (Table 1) [27,28]. Accordingly, we grouped these categories into directly identifying and indirectly identifying categories, corresponding to high risk and low risk, respectively.

TABLE 1: Identifying, quasi-identifying and non-identifying variables
Video and audio streams were coded for potential HIPAA violations as well as any other potential sources of identity that were discovered. To quantify a discrete instance of potential privacy exposure, a single count was defined as an instance of exposure that was interrupted by a period of non-exposure. While HIPAA guidelines were used as the standard, we further identified variables that would jeopardize patient privacy if a video had been publicly released. Additionally, we examined the video and audio streams for information that was not readily discernible but possibly discernible with advanced analysis. In order to investigate the difference in rates of exposure between locations, a quasi-Poisson generalized linear model was used to correct for over dispersion of counted data. Differences were considered statistically significant when a p-value was found to be less than 0.05. The R software system was used for all statistical calculations [29]. Google Glass™ is not FDA approved for any medical use.

Results
Nearly 12 hours of video and audio were recorded during 22 total procedures. There were 10 procedures recorded in the intensive care unit (ICU), five procedures in the interventional radiology (IR) suite, and seven procedures in the operating room (OR). In total, there were 807 exposures, resulting in an overall average exposure rate of 1.13 per minute, as shown in Table  2

TABLE 2: Total recorded procedural videos and potential exposures
Direct identifying information such as name, phone number, or full face photographs coded from the video and audio is listed in Table 3.  Indirect identifying information such as date of birth or other uniquely discovered identifying information such as tattoos or even phone lock code coded from audio and video are listed in Table 4.

TABLE 4: Indirect identifying variables
We additionally compared the exposure rates for video between the different locations recorded, as listed in Table 5. The OR was compared to the ICU and IR suite, where a statistically significant difference was found between rates (p = 0.0376).

Discussion
To our knowledge, this is the first study to quantitatively characterize the risk of potential privacy exposure and HIPAA violations in video and audio recordings of operations and procedures during the routine use of telementoring technology. As a necessary component of a telementoring platform, recorded or streaming video and audio may pose significant risk primarily through exposure of a patient's face, which was an order of magnitude more common than the second most common exposure in this study, a patient's name.
Our hope is to quantify and characterize exposure rates for future comparison in studies aimed at reducing these rates from what we consider to maximally exposed situations where no special precautions were taken to mitigate exposure risk. This approach was chosen to provide frank, naïve estimates for the risk of exposure to later compare with informed, prevention strategies.
Overall, we found an average rate of more than one exposure per minute. Importantly, full-face photographs composed more than 90% of the Direct Identifying exposures, while names (7%) and phone numbers (3%) composed the rest. Exposures during audio recordings were dominated by names (98%) and a medical record number (2%). Preventing the recording of faces by waiting to begin recording until after complete draping, when appropriate, would significantly reduce the exposure risk.
Indirect Identifying categories were dominated by novel categories discovered during recordings as potential privacy exposures and included tattoos (55%), genitals (34%), and a caretaker name (10%). There were only rare exposures of birth date (1%) on audio or video. Unique tattoos were an unexpected driver of potential exposures and would also be minimized by postponing video recording until after sterile draping.
Our approach to analysis of the video was based on the assumption that a video could be released to the general public in a retained file. If a video was released via a public network, then the video file would be reviewable without the limitation of traditional broadcast videos. Sophisticated analysis tools may increase the probability of revealing subtle information about a patient. Accordingly, we re-examined our own data to further code for images containing variables that, while not readily discernible, hold the potential for exposure if sophisticated techniques were used. We identified 25 more instances of possible name exposure and five more instances of full-face exposure. Only three discrete instances of potential name exposure were during procedures when the name was not already discernible, and all five potential full-face exposures were during videos when the face had already been discernible. In general, it is important to recognize that today, the release of a video implies that the entire file can be scrutinized using advanced video analysis tools, and even the metadata (embedded data) of the video file can reveal information about the patient or procedure.
Given these results, the periods of greatest potential for exposure include the beginning and end of a procedure or operation, since any identifiable information is usually covered by sterile draping. We intentionally chose to record video as early as possible to examine this period of maximal risk in this first study. Our data revealed that location may play a role in the rate of exposure, which corresponds with common sense about the level of control in a specific environment. When we compared the rates of exposure in the operating room with rates of exposure in the interventional radiology suite (which also involved procedures where the face is exposed) and in the intensive care unit, we discovered that exposure rates in the operating room were statistically lower, despite heterogeneous data. Longer procedure times and a more controlled environment readily explain this difference.

Limitations
We acknowledge several limitations of our study. While we attempted to include a variety of locations and procedures with potentially high exposure rates, we only included neurosurgical and critical care procedures. Our length of recording time was limited to a couple of hours, so only the beginning of some of the longer operations was recorded, though we estimate much lower risk for exposure during the remainder of these cases and similar or less exposure risk at the end of procedures when compared with the beginning. Our methodology included only the use of a glasses-mounted platform, Google Glass™, while several other options exist with varying resolution. Our method of quantifying potential exposures attempts to describe discrete segments of potential violation, but there are many ways to measure exposure such as number of frames or seconds. We chose discrete instances because of the ability for indefinite review if released to the public digitally and the potential legal treatment. Further consideration should be given to other platforms that utilize different video resolution, frame rate, or encoding. Additionally, advanced analytical techniques for recovery could also be explored on control data.

Conclusions
Video and audio recording during procedures or operations using a head-mounted camera may pose substantial risk for exposure of patient-identifiable information when no significant prevention strategies are employed. While the majority of risk stems from the exposure of the faces of patients where mitigation is easily achieved (draping), some risk remains from patient names posted on the surroundings. Controlled environments where patients are more uniformly draped (OR) may carry reduced risk when compared to the ICU or IR suite. Strategies for reducing or removing exposure risk on audio and video recordings may assess efficacy against the results of this study.

Additional Information Disclosures
Human subjects: Consent was obtained by all participants in this study. University of Minnesota Institutional Review Board issued approval 1402M48127. Animal subjects: All authors have confirmed that this study did not involve animal subjects or tissue. Conflicts of interest: In compliance with the ICMJE uniform disclosure form, all authors declare the following: Payment/services info: All authors have declared that no financial support was received from any organization for the submitted work. Financial relationships: All authors have declared that they have no financial relationships at present or within the previous three years with any organizations that might have an interest in the submitted work. Other relationships: All authors have declared that there are no other relationships or activities that could appear to have influenced the submitted work.