Legal perspectives on black box recording devices in the operating environment.

BACKGROUND: A video and medical data recorder in the operating theatre is possible, but concerns over privacy, data use and litigation have limited widespread implementation. The literature on legal considerations and challenges to overcome, and guidelines related to use of data recording in the surgical environment, are presented in this narrative review.
METHODS: A review of PubMed and Embase databases and Cochrane Library was undertaken. International jurisprudence on the topic was searched. Practice recommendations and legal perspectives were acquired based on experience with implementation and use of a video and medical data recorder in the operating theatre.
RESULTS: After removing duplicates, 116 citations were retrieved and abstracts screened; 31 articles were assessed for eligibility and 20 papers were finally included. According to the European General Data Protection Regulation and US Health Insurance Portability and Accountability Act, researchers are required to make sure that personal data collected from patients and healthcare professionals are used fairly and lawfully, for limited and specifically stated purposes, in an adequate and relevant manner, kept safe and secure, and stored for no longer than is absolutely necessary. Data collected for the sole purpose of healthcare quality improvement are not required to be added to the patient's medical record.
CONCLUSION: Transparency on the use and purpose of recorded data should be ensured to both staff and patients. The recorded video data do not need to be used as evidence in court if patient medical records are well maintained. Clear legislation on data responsibility is needed to use the medical recorder optimally for quality improvement initiatives.

Introduction

The number of healthcare professionals using an audio, video or complete data recorder in the surgical environment, sometimes referred to as a medical data recorder (MDR) or ‘black box’, is increasing1, 2, 3. A MDR is able to record operational data (for example from overview cameras, laparoscopic cameras, anaesthetic and environmental equipment), enabling analysis of technical and non‐technical elements4. It provides theatre staff the opportunity to learn from their performance or suboptimal situations to enhance team performance5, 6, 7, 8, 9, 10, 11. Surgical procedures may be recorded for purposes of education, research and quality improvement3, 12. Although this has been associated with a reduction in errors, there are concerns about the adequacy of implementation related to privacy, ownership of data and medical negligence4, 8, 10, 13, 14. Understandably, medical practitioners fear that a MDR could be misused for punitive or controlling purposes, a situation that inevitably leads to scepticism, user resistance and loss of autonomy7, 13, 15. These very real medicolegal concerns are hindering the optimal use of the MDR3, 5.

Other high‐risk industries such as aviation (flight data recorder), offshore oil platforms and maritime transport (voyage data recorder) have used black boxes to analyse suboptimal situations and errors for quite some time16. In these industries, they have been embedded in legal and operational frameworks that are sorely lacking in the surgical environment7, 17. This study reviewed the privacy law concerns, medicolegal considerations and universal legal requirements regarding MDR use.

Methods

A comprehensive search for peer‐reviewed literature published in the past 12 years (January 2007 to December 2018) was conducted using the PubMed and Embase databases and the Cochrane Library. The following search terms were included: video recording, operating room, theatre, endoscopic, medicolegal, legislation, ethics and law. Non‐English and non‐Dutch publications were excluded. The exact search algorithms can be found in Appendix S1 (supporting information). The articles reviewed comprised a broad range of methods, including mainly descriptive, opinion or narrative reviews. For this reason, no attempt was made to grade the levels of evidence systematically or to undertake a statistical analysis18.

In addition, jurisprudence on the topic from North American and European jurisdictions was searched to find examples of medicolegal cases in which video recordings were used as evidence19, 20. A professor of health law at the University of Amsterdam collaborated in this study, to ensure correct interpretation of the legal literature.

Results

The literature search yielded 95 citations from the PubMed database, no review citations from the Cochrane Library and 26 from Embase. After removing duplicates, unrelated fields, abstracts without full text and non‐relevant papers, 20 manuscripts were included in the review (Fig. 1).

Figure 1

Flow chart showing selection of articles for review

In 2016, one MDR was installed in an ENDOALPHA operating suite (Olympus Europa, Hamburg, Germany) in the Amsterdam University Medical Centre4, 21. It has since been used to record selected laparoscopic abdominal procedures. This recorder is able to capture a multitude of data streams (overview cameras, laparoscopic camera, microphones, anaesthesia monitor). Procedures were recorded between the time‐out and sign‐out time stamp of the surgical procedure22, 23. These recordings were analysed by a specialized trained team in Toronto, Canada4. The performance report generated was used as a tool for structured postoperative team debriefing24, 25.

Aviation safety system perspective

The safety initiatives of the aviation industry have been compared with those of healthcare15, 26, 27.

Following a series of high‐profile crashes that threatened the sustainability of the passenger jet industry, the National Aeronautics and Space Administration (NASA) research community and regulatory industries led investigations in the 1970s28. Since then, as part of joint NASA and Federal Aviation Administration (FAA) initiatives, behavioural science researchers have scrutinized tens of thousands of simulator and live flights. These recognized human performance as factors in aviation safety29, 30, 31. NASA now operates an Aviation Safety Reporting System (ASRS) that offers the incentives of anonymity and immunity to pilots who report an unsafe situation within 10 days of its occurrence26. All identifying information in the report is then removed before the incident is investigated and any lessons are publicized. Later, if the FAA attempts to take punitive action against those involved, the ASRS reference number provides evidence of a constructive safety attitude, such that penalties are not imposed (provided that the mistakes were inadvertent and did not constitute a criminal offence)26.

Safety management system requirements have also been introduced into European Union (EU) law. The European aviation safety system is based on a comprehensive set of common safety rules, which are overseen by the European Commission, the European Aviation Safety Agency and the National Aviation Authorities. These rules are directly applicable to all EU member states17. In addition, the EU has regulated the reporting, analysis and follow‐up of aviation safety threats32. The current legislation sets out how relevant safety information relating to civil aviation is reported, collected, stored, protected, exchanged, disseminated, analysed and acted upon17, 33.

The aviation industry holds Six Sigma (nearly perfect) safety records, because it uses the system approach, deals with errors non‐punitively yet proactively, and reduces the consequences of error before escalation28, 34, 35, 36. This way of reporting and managing error results in a ‘just culture’, where aviation professionals feel confident to report events (even their own mistakes), by promoting balanced accountability for individuals and organizations responsible17. This is a critical ingredient to the creation of a safety culture37. Other high‐risk industries have adopted this philosophy, accepting that human error is both inevitable and ubiquitous36. The medical profession has incorporated some of these safety lessons30, 31, 38.

In the past few years, the number of patients harmed by medical error has gained public attention. Some of these mishaps have reached unsatisfactory conclusions for all involved parties31, 39. The medical profession traditionally employs the personal approach, which acts as a disincentive to voluntary reporting, and inhibits the search for systemic conditions or triggers that lead to error40, 41. These conclusions have resulted in several national and international guidelines and regulations, aimed at the broad implementation of safety systems that address human factors, such as teamwork and communication37, 41, 42.

Privacy perspective

The use of a MDR should conform to certain rules and requirements relating to the privacy of both the healthcare professional and the patient2, 43. Throughout Western legislation, privacy laws relating to personal data, medical records and professional confidentiality apply to MDRs44, 45, 46, 47. The new European General Data Protection Regulation (GDPR) took effect in May 2018. It was designed to harmonize all the data privacy laws across the EU48, 49. It has a processing obligation that requires all individuals involved to be strictly and clearly informed about what happens to their personal data44, 48, 49. Researchers are respectively required to make sure that personal data collected from patients and healthcare professionals are used fairly and lawfully, for limited and specifically stated purposes, in an adequate, relevant and sober manner, and kept safe and secure and stored for no longer than is absolutely necessary47, 50, 51, 52.

The privacy‐by‐design principle is of great importance, regardless of the country in which a project collecting medical data using a MDR is carried out48, 53. According to this principle, the privacy of the users has to be taken into account from the very beginning of engineering the system, mainly by making optimal use of privacy‐enhancing technical solutions54, 55. Thus, video, audio and medical data related to healthcare staff should be anonymized as early as possible. This entails deidentifying the data (for example by voice alteration and image blurring), so that it cannot be linked back to the person56. The Health Insurance Portability and Accountability Act (HIPAA) in the USA, the Personal Information Protection and Electronic Documents Act in Canada and the GDPR in the EU require data protection with confidentiality and integrity57. Furthermore, they require that identifiable personal health information in any form, either electronic, written or oral, should be made available to patients3. As Henken and colleagues43 state in their review, the distinction between information that must be included in a patient record and information that can be excluded is not as clear in the USA as in the EU. However, as in the GDPR, the HIPAA allows for the use of limited data sets (deidentified) for the purposes of research and quality improvement initiatives57.

In laparoscopic surgery, the patient's consent to the making of an intra‐abdominal video could be included in the informed consent for the complete treatment, as it is used to perform the surgical procedure58, 59, 60, 61, 62. Consequently, only the laparoscopically generated video stream, but not the operating room overview video stream in which the theatre staff is visible, becomes part of the patient's medical record63. The GDPR data retention rule of thumb is ‘as long as necessary, as short as possible’48. Data included in the patient's medical record must be accessible to the patient and stored for at least 5 years, depending on the country and state the patient is treated in64, 65.

Medicolegal perspective

Data collected by a MDR for the sole purpose of quality improvement and training of the operating team is not intended to be used for patient diagnosis, evaluation or treatment. The patient's medical record should only include information relevant to the patient's health and healthcare7, 51, 66. Thus, such data should not be added to the patient's medical record nor handed over to the patient or their legal representatives3, 7. This does not preclude the healthcare professional from reporting a calamity or a ‘near miss’ just as in an unrecorded surgical procedure. In the face of such an event, it is common for hospital protocols in North America and most European countries to require that the patient is informed of the situation as early as possible, and the incident clearly noted in the patient's medical record37, 40, 61, 67.

In the case of a serious adverse event (a critical unexpected incident with the outcome severe injury or death) resulting in a lawsuit, a judge may decide to breach the legal protection of the healthcare professional by asking the institute for the video MDR data. However, reported cases indicate that in most jurisdictions judges are aware of the importance of protecting information that is collected for the sole purpose of quality improvement, and will breach this protection only if vital information is lacking in the medical record and cannot be retrieved in any other way7, 44, 68, 69. However, even if video data have to be provided, various court cases have demonstrated that these recordings actually predominantly lend legal support specifically to the healthcare professional or surgeon43, 70, 71, 72, 73, 74, 75, 76. An American medical malpractice claim showed that a surgeon could indeed prove, with the help of reviewing the videotape of the laparoscopic cholecystectomy in court, that the standard of care was not breached72. In a similar case, a Dutch urologist proved that he did not act negligently during the nephrectomy by showing the video recording of the procedure71.

Hoschtitzky and colleagues (London, UK)70 demonstrated in their care report that the video recording provided supportive evidence of good practice and an open attitude to patient safety. With the help of the video recording, they were able to document all the surgical steps accurately and it allowed them to state confidently that no missing equipment was inadvertently left behind in the patient. On the other hand, in January 2016, a Dutch surgeon had a medical malpractice suit filed against him after a complicated cholecystectomy. He was unable to prove that he obtained the critical view of safety because he could not show the judge the video recordings. The surgeon was hence found guilty73. Besides that, when privileged information is used in court without justification, both American and European laws contain provisions that have consequences in favour of the unjustly accused37.

Discussion

As is often the case with relatively new technology, legal guidelines on the use of MDRs are currently lacking. However, the general privacy principles are clear on how to design such a system and how to optimize conditions for use. Lessons are learned from the aviation industry, and the main issues that should be addressed are related to the privacy and legislation perspectives.

Patients may rely on professional ethics and best judgement in deciding which of the permissive uses of the MDR and disclosures the healthcare professional has to make57. Regardless of the national differences in legislation, the importance of the general privacy principles, to ensure clear consensus and openness between participants and researchers about the methods and purpose of the MDR, is to be highlighted2, 56, 77. Any possible information that might identify the patient or healthcare provider should either be blurred, scrambled or, whenever possible, removed as early as possible and not be reflected in the reporting output. Most importantly, as the patient is not the object of the study itself, patient identifiers should be removed. This means that written informed consent does not necessarily have to be obtained from the patient57, 78, 79. According to the general privacy rules, an opt‐out option is sufficient and should be provided to the patient in a timely manner, with their decision clearly noted in the medical record3, 5, 80.

As far as the operating theatre staff is concerned, authors recommend that theatre staff, including medical students, are asked formally, upon embarking on such a quality initiative, to volunteer to work with the innovation62. An official informed consent stating the purpose of the data recordings, where the data recordings are analysed, what the expected benefits for the participants are, and how the data are stored securely may help in gaining support and momentum for the MDR initiative48, 81, 82. It should be emphasized that their safety and personal privacy is protected, ensuring full transparency of the methods used58, 80, 83, 84, 85. Based on this review and the authors' experience, an overview of the recommended practice and legal guidelines is presented in Table 1.

Table 1

Key dimension, recommendations and legal guidelines on the use of a medical data recorder in the operating theatre

Key dimension	Practice recommendations	Legal implications
What is the purpose?	Quality improvement, such as structured team debriefing or enhanced morbidity and mortality meetings. The purpose of data collection is for theatre staff to learn from what went well and what can be done better	It is important that the goal is clearly specified. When a MDR is used in the authors' centre, the patient is not the main focus of the initiative. The purpose is quality improvement of operating teams and workflow, or support of hospital quality safeguarding systems. Hence, the data are not required to be added to the patient's medical file. Only the laparoscopic camera footage is added and accessible to patient, in accordance with standard protocol
Who and what do the data cover?	The theatre staff is being recorded using audio and video during the surgical procedure; patient parameters on the anaesthesia monitor and the laparoscopic camera views are recorded. Other data sources considered to be of relevance may be added to the data set collected (door movements, room temperature, etc.)	Given that the purpose is quality improvement, patient consent may be assumed. The patient needs to be informed about planning of the operation by the surgeon and has the possibility to opt out without negative consequences (no delay in planning). The MDR is used as a quality improvement tool and so, if adequate safeguards are put in place, the hospital may state that the theatre staff is expected to participate
What about privacy and the privacy‐by‐design principle?	Recordings may initially collect, but not process, the patient's personal identifiers. The patient's personal identifiers need to be stripped from the file as soon as possible (deidentification). Faces of theatre staff need to be scrambled and voices altered. To protect the patient's privacy maximally, it is advised that their face and genitals are not recorded by cameras when this serves no purpose	General privacy principles must be respected Data are kept safe and secure, and stored for no longer than is absolutely necessary. The privacy of staff and patients needs to be taken into account from the very beginning by making use of privacy‐enhancing technical solutions
Who is responsible for the data?	The hospital needs to assign a responsible person for the MDR. In trial settings, project coordinators and principal investigators are responsible for collecting the data and secure storage of the outcome report. In this case, the original data set (including video recordings) is sent immediately to the data analysis centre and, after it has been analysed, the pseudoanonymous outcome report is sent back. The original data are deleted, as the purpose of the original data has been fulfilled and the original data are no longer needed	An official agreement on confidentiality signed by the hospital directorate assures that the original and outcome data cannot be requested and used for any purpose other than that stated in the agreement Clear legislation is needed to make sure the inspectorate and other external parties cannot request the data
Which format should the data be in?	The original recordings are used for systematic analysis of the theatre team's performance. A performance report is created. Only the performance report, enhanced with video clips, is presented to the team. As soon as the performance report has been created (in this case within 48 h), the original data are deleted	The general privacy‐by‐design principles Data are used fairly, and for limited and specifically stated purposes in an adequate and relevant manner. The performance report is stripped of any identifiable information. To enhance privacy, the faces of theatre staff are blurred and voices altered

MDR, medical data recorder.

Informing patients about having a MDR that is used solely for the purposes of team debriefing may significantly contribute to the patient's trust, as most of them value this quality improvement measure. Regardless of this, healthcare professionals should not ignore the fact that, in time, society may shift towards favouring the idea that MDR‐generated video and data recordings should be accessible to patients, next to the information that is already accessible via their medical record70, 86, 87, 88. In the future, society may decide to choose transparency over the medicolegal concerns of medical employees and demand full legal access for the patient to the information generated by MDRs4, 85. In the USA, the state of Wisconsin89 has already drafted legislation to allow patients to access video recordings of their surgical procedures. If future legislation were to support the position that the MDR should become part of standard care, and if the output should become part of the patient's medical record, healthcare professionals would be bound to work in a continuously monitored environment, where all results are accessible to patients. This may be an argument for organizations to start exploring optimal use of MDRs, which may secure optimal conditions for both patient and providers, as soon as possible.

In the authors' opinion, the fear that a MDR bears an increased risk of medical negligence litigation, limited performance or loss of professional status is unjustified, as long as good professional standards of patient medical record keeping and reporting of adverse events are maintained31, 39, 40, 70, 75, 90. To help dissipate any remaining fear, resistance or doubt, the principal investigator of the MDR project can instigate an official agreement on confidentiality signed and supported by the hospital directorate. The researchers and the institute are, in accordance with the official agreement, bound to refuse the disclosure of any output obtained by the MDR77.

It is important to emphasize that, if a severe adverse event occurs, video recordings usually help rather than harm the healthcare professionals involved. The chain of (re)actions and decisions resulting in the unwanted event are better understood with the objective help of the MDR. MDR data may help in augmenting the analysis of a calamity or near miss when constructing a public calamity report. The data source itself is protected by law. Besides, if he or she has provided reasonable quality standard of care, no punitive measures can be imposed91, 92, 93. Nevertheless, several hospitals in the USA ceased video recording after receiving legal advice to do so, as a result of their medicolegal concerns and the introduction of the HIPAA in 19963. Hospital administrators, especially in the USA, are often extra cautious, owing to an increasingly hostile medicolegal environment12. Plenty of court cases have demonstrated that video recordings actually lend legal support to the healthcare professional or surgeon70, 71, 72, 73, 74, 75, 76.

Healthcare professionals who are not well informed may also respond reluctantly to the use of a MDR, because they are afraid they will have to behave differently: ‘Can I still play music, make jokes or use bad language?’. It is important to take this viewpoint into account as well. Differences in staff perceptions of good behaviour may exist among team members working in a high‐risk environment for behaviour that unsettles the team94, 95, 96, 97, 98, 99. Disturbing behaviour or even bullying in the operating theatre, such as inappropriate joking or degrading comments, usually goes unreported and is considered part of the job99, 100, 101. Team members may feel powerless to address certain behaviour while it is occurring96, 102. The ultimate impact of these issues is poor teamwork and an increased risk of adverse perioperative events94, 99, 103, 104, 105. Being able to look back on shared performance in a safe, neutral and moderated setting may help all team members get a clearer perspective on the situation. Indeed, it may help healthcare institutions in the further development of a framework for dealing with disruptive behaviour. This would ensure a productive, healthy and safe working environment, which is focused on education and rehabilitation rather than punishment106. Systematic postoperative team debriefing using a MDR, led by an independent facilitator, may help in objective assessment of issues that have traditionally been ignored, creating a unique opportunity to discuss appropriate solutions with the entire operating team safely and respectfully.

Appendix S1. Search details

Click here for additional data file.