​A risk manager in an aging services organization recently asked ECRI Institute for guidance on using drones for additional security and monitoring around the campus. Noting that he has observed an uptick in amateur drone flight around the campus, the risk manager speculates that if the organization trained staff to operate one or two drones, they could be deployed for general security watch, to search for residents who have eloped, or for emergency oversight to supplement security officers. For example, the risk manager states, with an inexpensive thermal imaging drone, the organization may have found an eloped resident in minutes, when in fact the situation turned out to be the organization's longest and hardest search ever.

In our response, ECRI Institute notes that the same risk management techniques used to address other issues—specifically, focusing on risk identification, analysis, and mitigation—are pertinent when considering rolling out drones as part of a security plan. Because this is an emerging technology that has unique risks, ECRI Institute strongly recommends involving the organization's legal counsel to assist in a risk analysis, policy and guideline development, and ongoing evaluation of risks over time.

Organizations should consider involving a board task force or performance improvement team to implement and oversee drone usage. Include key risk management and executive leadership, appropriate department leadership (e.g., public safety), local police representation, the property insurer, local municipality manager, legal counsel, and others as necessary.

Some potential areas of risk that arise with the use of drones include, but are not limited to the following:

• Potential general and property liability.
• Compliance with applicable laws and rules at the federal, state, and local levels. In particular, see resources from the Federal Aviation Administration including guidance on getting started with drones, frequently asked questions, and guidance on complying with the Small Unmanned Aircraft Systems (UAS) rule.
• Required registrations, licenses, certifications, and training, including the need for initial certification, licensure, and training as well as ongoing renewal.
• Privacy issues, including photographing, videoing, and imaging of residents, staff, visitors, and the public at large; the guidance article Photography, Filming, and Other Imaging of Residents speaks to the risks associated with these issues, which will be similar when images are taken via drones.
• Developing, implementing, and reviewing written policies and guidelines, which should include practices for reviewing drone use, incidents, and risk.

To help with a risk analysis, ECRI Institute encourages a full review of applicable federal, state, and local regulations about using drones, as well as a site and community review that covers the rules for use of drones around airports, other businesses, and certain public spaces (e.g., stadiums). The team responsible for drone implementation should also review insurance policy coverages and gaps or exclusions.

In addition to giving particular scrutiny to potential violations of personal privacy, the organization should be wary of risks related to the reaction from the public at large in its community. Technologies like drones can cause a wide variety of responses; assessing potential risks associated with public, resident, and family opinion is crucial. Just as importantly, the organization should plan its methods to communicate use of these devices on a regular basis and in a forum where it can communicate how the devices would be used, what protections for privacy are in place, and, most importantly, the benefits from using the technology in the intended way.

Once risks are identified and analyzed, a decision whether or not to proceed can be made.

The recommendations contained in Ask CCRM do not constitute legal advice. Facilities should consult legal counsel for specific guidance and develop clinical guidance in consultation with their clinical staff.