A handful of surgeons have live-streamed surgeries to the Internet from Glass using Google Hangouts. Although in each case, the patient consented, using Google Hangouts isn't a viable production grade video streaming solution. Google Hangouts aren't encrypted or secure, and the videos will live on Google's servers forever.
Sending any PHI through Google's servers, including every application that utilizes the Mirror API - is a HIPAA violation by definition. Using the Mirror API, Glass will never be a viable solution in healthcare.
However, there's another way. At Pristine, we're writing native Android applications that reside on Glass itself, and that communicate with our own server platform that'll be installed within the hospital's firewall. We encrypt data in transit and at rest, and we generate a complete audit record along every step of the way. And most importantly, no PHI will leave the hospital's premises. Hospital management will control and manage data that they capture on their own terms, not Google's terms.
Every viable production grade healthcare application on Glass will have to be written as a native Android application. As such, the vast majority of innovation over the past few months on Glass for healthcare has been just for show. The Mirror API is fine for rapid iteration and testing screens, but will never be usable in production healthcare environments.