With the explosion of AI technology, hospitals and nursing facilities are increasingly using video and audio patient monitoring technologies, which aim to enhance patient safety, including by detecting patient falls. However, recordings may show patients undressed, getting bathed, receiving medical care, or in vulnerable states. The use and disclosure of these recordings, including for AI training, can raise legal risks, including:

Notice and consent

Health systems using this technology will need to provide sufficient notice to, and potentially obtain explicit and informed consent from, patients (or their personal representative), staff, and visitors. They also will need to disable the technology for individuals who decline or withdraw consent, where required.

Identifiability

Some technologies can de-identify individuals (e.g., blurring or reducing the images to stick figures) to reduce potential harms. Understanding how recordings are made, altered, and maintained is crucial.

Storage of recordings

Limiting the retention period of recordings helps to mitigate a number of risks. The longer recordings are maintained, the greater the risk from a potential data breach or security incident. Identifiability of individuals could trigger broad notification obligations, regulatory investigations, litigation, and reputational harm. Threat actors could attempt to extort payment, including directly from patients, to avoid release of the highly sensitive recordings. Retained recordings also may become discoverable and used as evidence in malpractice or other litigation, and could introduce additional liability to health systems where recordings contain evidence of illegal activity (e.g., abuse of patients, drug use by staff) as the health system may be imputed with knowledge where it did not review or act upon the recordings.

Training AI models

Technology providers may want to use recordings to train AI models that trigger alerts for staff when patients need assistance. Fully de-identified recordings help mitigate the above-listed risks under privacy and data protection laws; however, notice of model training may still be required. In addition, depending on the intended use of the recording, additional consent and/or waiver may be necessary for the use of a person's image, likeness, and/or voice, from an IP perspective. Technology providers and health systems may also need to consider their obligations (such as documentation requirements, risk assessments, and human oversight obligations) under AI laws, such as the EU's AI Act.

Contracting with vendors

Health systems will generally want to conduct some diligence on the vendors of these technologies to understand how the vendor and health provider can cooperate to mitigate risk. Contracts will likely need to include mandatory or recommended provisions under privacy, AI, and health care laws.