1 / 112

Privacy in Electronic Communications; Malpractice and Credentialing Updates

Explore the legal aspects of privacy in electronic communications and the potential problem areas. Learn about HIPAA regulations and guidelines for safeguarding electronic health information.

lincolnb
Download Presentation

Privacy in Electronic Communications; Malpractice and Credentialing Updates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy in Electronic Communications; Malpractice and Credentialing Updates

  2. Privacy in Electronic Communications

  3. Two topics to discuss: • What does the law say? • Problem Areas?

  4. What does the law say about Privacy in Electronic Communications? ay about Privacy in Electronic Communications?

  5. What does the law say? General HIPAA Rule 45 CFR 164.502(a) “A covered entity or business associate may not use or disclose protected health information, except as permitted or required [by these regulations].”

  6. What does the law say? • Very generally speaking: • Privacy Rule: When can you use or disclose? • Security Rule: How do you safeguard and transmit e-PHI?

  7. What does the law say? • Keys to Privacy Compliance • Good policies • Good training • Keys to Security Compliance • Regular Risk Assessment • Response to Risk Assessment

  8. What does the law say? Security Rule FAQ Regarding Email: • Security Rule does not prohibit use of email for sending e-PHI. • Assess use of open networks. • Identify available and appropriate means to protect e-PHI. • Select a solutions, document the decision.

  9. What does the law say? Privacy Rule FAQ Regarding Email: • Check email address for accuracy. • Communications to patients for treatment purposes do not have to be encrypted. • However, limit amount and type of information sent through unencrypted email. • Patient may request email, or patient may request no email.

  10. What does the law say? Privacy in Electronic Communication: Problem Areas

  11. Mobile Devices Not prohibited, but ... • Risk of theft. • Risk creating unintentional record. • Do require authentication. • Do require encryption. • No public Wi-Fi. • Keep inventory of devices. • Remote shut down tools.

  12. HIPAA and Social Media With new technology comes new problems.

  13. Two paramedic students working in the ED in Florida as part of their training took digital photos of a patient who had been attacked by a shark and e-mailed the photos to several friends.

  14. A Chicago physician, on his blog, called a patient “lazy” and “ignorant” because she had made several visits to the ED after failing to monitor her sugar level.

  15. A medical student filmed a doctor inserting a chest tube into a patient, whose face was clearly visible, and posted the footage on You Tube.

  16. A nurse posted on her Facebook page that she had treated a “cop killer” the day following many news accounts named the accused shooter and the hospital where he was treated.

  17. These individuals should have used the “Coffee Shop Test” before posting the information: If you wouldn’t talk about it with a friend in a coffee shop, then it’s not appropriate to talk about it online (and it’s never ok to talk about specific patients with a friend in a coffee shop).

  18. And it is really worse than that. It is more like inviting all of your friends to the coffee shop and announcing to the entire coffee shop certain pieces of information about the patient.

  19. Hypothetical Nurse Mary, using her personal iPhone, after work hours, posts on her Facebook page (after describing her daughter’s soccer game and shopping outing earlier that day) the following: “I met (Famous Football Player) today!! Such a nice guy! Not bad on the eyes either!” Later that same day, in response to a “Friend’s” question, Mary responded: “He came in for a broken arm.” Meanwhile, one of Mary’s Friends, “Susan,” responded to Mary’s original post with a simple “Likes” reply.

  20. It is important for you to know: • Mary’s Profile states that she is a Registered Nurse who works in the Orthopedics Department of Large Hospital System in Anytown, USA; and • Among her “Friends” is a co-worker, “Susan,” a Physical Therapist who works in the same Department of the same Hospital. Susan’s Profile also states her profession and her place of work.

  21. Around 90 days later, Large Hospital System receives a letter from the Office for Civil Rights advising that it received an anonymous complaint alleging that it was not in compliance with the HIPAA Privacy Standards and, more specifically that Mary had impermissibly disclosed protected health information of individuals who were patients of the Hospital’s Orthopedics Department. Specifically, it is alleged that Mary posted PHI on her Facebook page related to the patient status and medical condition of “Famous Football Player.”

  22. Was this a HIPAA violation?

  23. The “general” rule is that, under HIPAA, a Covered Entity (or Business Associate) may not use or disclose PHI except as permitted or required by the Privacy Rules. Facebook and other social media posts, like verbal “gossip” about patients are electronic forms of PHI if patients are identified by name (or otherwise) and the context of the posts says something about the medical condition or patient status of the individual. In the “Mary” hypothetical, this would be a HIPAA violation.

  24. Lawsuits In late December of 2013, a patient who was seen at the ED of Northwestern Memorial Hospital in Chicago sued the Hospital, the Feinberg School of Medicine and the physician who treated her, after the physician posted pictures of the drunk patient to social media. She is seeking $1.5 million in damages. The patient is an actress, model and ex-professional tennis player from Russia who claims that the postings damaged her future career prospects and caused her emotional distress. In posting the pictures, the physician invited friends for rooftop cocktails across the street from the ED where the patient was admitted for alcohol poisoning.

  25. Walgreens was ordered to pay $1.44 million in a lawsuit brought against it for a violation of privacy by one of its pharmacist employees. The pharmacist looked up the medical records of her husband’s ex-girlfriend, who she suspected gave her husband an STD. She found what she was looking for, told her husband about it, and he then sent a text message to the ex and told her he knew all about the results. The ex figured out how the husband found out about the results and filed the lawsuit, not against the pharmacist, but against the deep-pocket, Walgreens. The jury decided that Walgreens was responsible for 80% of the verdict. Walgreens said it will appeal. But wait, HIPAA does not allow a private right of action, so how did this lawsuit proceed? It was brought under common law theories of invasion of privacy, negligence and professional malpractice. Walgreens was not sued for violating HIPAA, however, the HIPAA violation by Walgreen’s employee was used to show that Walgreens was negligent.

  26. Common Myths and Misunderstandings of Social Media: A mistaken belief that the communication or post is private and accessible only to the intended recipient. A mistaken belief that content that has been deleted from a site is no longer accessible. A mistaken belief that it is harmless if patient information is disclosed if the communication is accessed only by the intended recipient. This is still a HIPAA violation if the intended recipient is an unauthorized individual.

  27. Common Myths and Misunderstandings of Social Media: A mistaken belief that it is acceptable to discuss or refer to patients if they are not identified by name, but referred to by a nickname, room number, diagnosis or condition.

  28. Common Myths and Misunderstandings of Social Media: Confusion between a patient’s right to disclose personal information about himself/herself and the obligation of a health care provider to refrain from disclosing such information unless it is related to treatment, payment or healthcare operations. The ease of posting and commonplace nature of sharing information via social media may appear to blur the line between one’s personal and professional lives.

  29. HIPAA Enforcement (as of the end of 2014)

  30. HIPAA Enforcement Since the compliance date of the Privacy Rule in April 2003, OCR has received over 106,522 HIPAA complaints and has initiated over 1,183 compliance reviews. OCR has resolved ninety-five percent of these cases.

  31. HIPAA Enforcement OCR has investigated and resolved over 23,314 cases by requiring changes in privacy practices and corrective actions or providing technical assistance to, HIPAA covered entities and their business associates.

  32. HIPAA Enforcement In another 10,566 cases, OCR investigations found no violation had occurred.

  33. HIPAA Enforcement Additionally, in 7,883 cases, OCR has intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation.

  34. HIPAA Enforcement • In the rest of the completed cases, (68,412) OCR determined that the complaint did not present an eligible case for enforcement. These include cases in which: • OCR lacks jurisdiction under HIPAA. For example, in cases alleging a violation by an entity not covered by HIPAA;

  35. HIPAA Enforcement • The complaint is untimely, or withdrawn by the filer. • The activity described does not violate the HIPAA Rules. For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure.

  36. HIPAA Enforcement From the compliance date to December 31, 2014, the compliance issues investigated most are, in order of frequency: Impermissible uses and disclosures of protected health information; Lack of safeguards of protected health information;

  37. HIPAA Enforcement • Lack of patient access to their protected health information; • Lack of administrative safeguards of electronic protected health information; and • Use or disclosure of more than the minimum necessary protected health information.

  38. HIPAA Enforcement The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: Private Physician Practices; General Hospitals;

  39. HIPAA Enforcement • Outpatient Facilities; • Pharmacies; and • Health Plans (group health plans and health insurance issuers)

  40. Security Rule Enforcement Since OCR began reporting enforcement of the security rule in October of 2009, they have received 940 complaints. 689 complaints have been resolved. As of August 31, 2014, 316 of these complaints remain outstanding.

  41. Referrals to Department of Justice As of December 31, 2014, OCR has referred 543 cases to the Department of Justice for criminal investigation involving violations of the HIPAA Privacy Regs.

  42. Legal Issues with Electronic Medical Records

  43. Legal Issues - EMR • Learning Curve • Studies Conducted on the effect on Malpractice cases

  44. Legal Issues - EMR • More Data Available • Sometimes good, sometimes not • EMR Metadata (i.e., time stamps, length of the viewing) • Generally Discoverable

  45. Legal Issues - EMR Case Examples of More ≠ Better • Patient injured during surgery. • Lawsuit targeted surgeon’s competence. • EMR Metadata during discovery. • Time stamp triggered suspicion about anesthesiologist.

  46. Legal Issues - EMR • Medical Errors • Theoretically EMR should help to reduce, and probably do in cases. • Easy to click incorrectly and make a mistake that would never have been made in writing.

  47. Legal Issues - EMR • Fraud Claims • “Cloning” • Personal Example

  48. Legal Issues - EMR • Consolidation of massive amounts of information. • Theft of Laptop could mean theft of thousands of medical records. • HIPAA Security Regulations and Policies.

  49. Credentialing Update

  50. Why do Hospitals Credential?

More Related