Pokémon is the second best-selling franchise worldwide, having sold 279 million video game software units as of 2015. When it was announced that the beloved game would be brought to mobile devices for free in the form of an augmented reality game, millennials everywhere had their childhood dream of traveling the world to catch Pokémon realized. Unfortunately, the early launch of the game led to many issues ranging from malfunctioning features to back doors that compromised the security of those playing the game. Despite these shortcomings of the game, it has become an overnight sensation.

Since Pokémon Go requires the players to navigate the real world to track down the little creatures, it has led some to play the game in less than ideal places. With the nostalgia powered drive to become a Pokémon Master, it was only a matter of time before people started making their way into health care facilities. As a result, in addition to keeping up with the various advances in mobile technology related to healthcare and patient management, health care facilities across the country must now add virtual and augmented reality to their list of concerns.

There have been two approaches to dealing with this new development — request being removed from the game’s map and thus have the Pokémon removed from your facility, or accept the game as a way to motivate its fans to be active. The second approach seems attractive to many, but without a properly controlled environment, it doesn’t eliminate the threat of protected health information (PHI) being compromised.

So, how does Pokémon Go pose a threat? As an augmented reality game, it makes use of mobile device’s camera and allows people to play a virtual game in the real world. When the camera is active, the game encourages players to take pictures of the Pokémon they are attempting to capture and share them with their friends through text message or social media. In a healthcare environment, this could easily result in a player — whether patient, employee or third-party gamer — inadvertently sharing PHI with all of his or her followers in as little as four clicks from taking a screenshot. Even if no photographs are taken, the presence of individuals who are only on the premises for the purpose of playing the game can increase the chances of private information and security being compromised.

Health care providers and business associates alike have learned the high cost of HIPAA violations, the New York Presbyterian Hospital paid a $2.2 million settlement for the filming of “NY Med” on their premises which led to the unauthorized sharing of images of two patients. OCR determined that the hospital did not take adequate measures to safeguard PHI when the film crew was invited into an environment where the information could be compromised. OCR is likely to follow a similar logic in relation to Pokémon Go and other augmented reality games with the potential for exposing PHI to unauthorized parties.

Best practices for Pokémon Go and its successors:

  • Take yourself off the “map”: Niantic Labs — the creator of Pokémon Go recognizes that not all locations that are on the map should be there, so a request form can be filled out to have any “Pokéstops” or “Gyms” removed from the premises. However, a formal letter of demand may prove more efficient due to Niantic’s record of poor communication and slow response.
  • Determine your stance on patient play: Aside from standard hospital policies on visitor and patient cell phone use, consider if your establishment wants to promote or even allow patient use of Pokémon Go. Many facilities are finding that Pokémon Go can prove to be a valuable tool in promoting exercise and activity — especially post procedures. If your hospital wants to take that approach — consider limiting play to areas where PHI is less accessible and adequately protected. However, it should be kept in mind that risks related to permitted access to PHI to unauthorized individuals remain.
  • Determine if health care providers and hospital staff should be prohibited from playing: Examine your social media and bring-your-own-device policies to address augmented reality games such as Pokémon Go and the successors that will follow. Taking photographs is often prohibited in hospital settings, make sure the policy is clear that the same restrictions apply to photos in the augmented reality space. This also provides an opportunity to reinforce existing social media policy.