1 / 23

LEGAL & ETHICAL ISSUES IN BEHAVIORAL HEALTH IN OREGON

Join Paul A. Cooney, Attorney at Law, for a discussion on legal and ethical issues in behavioral health in Oregon. Learn about security issues, online risk assessment tools, data protection, and HIPAA breach notification rules.

elliotta
Download Presentation

LEGAL & ETHICAL ISSUES IN BEHAVIORAL HEALTH IN OREGON

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ethics in the Digital AgeNovember 5, 2016Portland, OregonPaul A. Cooney Attorney at Law Cooney, Cooney & Madigan, LLC 12725 SW 66th Ave Suite 205Tigard, Oregon 97223(503)607-2711FAX (503)607-2702PCOONEY@COONEYLLC.COM

  2. LEGAL & ETHICAL ISSUES IN BEHAVIORAL HEALTH IN OREGON PAUL COONEY is a healthcare attorney who has been in practice for24 years. Mr. Cooneyis a Partner at Cooney, Cooney and Madigan, LLC where he specializes in healthcare litigation and represents a wide variety of healthcare professionals in all aspects of their practice. Mr. Cooney is General Counsel for the Oregon Psychological Association and the Oregon Counseling Association. He represents mental health professionals in malpractice cases, licensing and discipline matters and general business matters. He is licensed to practice in both Oregon and Washington and is a frequent speaker on legal issues and risk management.

  3. SECURITY ISSUES The Security Rule requires covered entities to: • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit. • Identify and protect against reasonably anticipated threats to the security or integrity of the information. • Protect against reasonably anticipated, impermissible uses or disclosures. • Ensure Compliance with employees/workforce.

  4. A risk analysis process includes, but is not limited to, The following activities: • Risk analysis should be an ongoing process • Evaluate the likelihood and impact of potential risks to e-PHI • Implement appropriate security measures to address the risks identified in the risk analysis • Document the chosen security measures and, where required, the rational for adopting those measures • Maintain continuous, reasonable, and appropriate security protections.

  5. ONLINE RISK ASSESSMENT TOOL (HHS) https://www.healthit.gov/providers-rofessionals/security-risk-assessment

  6. Roy Huggins, LPC https://personcenteredtech.com/ (503) 893-9717

  7. Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals GOVERNMENT SPEAK (ENCRYPTION)

  8. UNLESS YOU ENJOY THE COMPANY OF ATTORNEYS, ENCRYPTION IS MANDATORY FOR ANY ELECTRONIC RECORDS NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SPECIAL PUBLICATION 800-111 (NOV. 2007) Document the Encryption Implement Strong Passwords Back Up Your Information on encrypted drive

  9. DATA PROTECTION • Encrypt your entire computer hard drive. Document your encryption. • Anti-virus and malware protection. • Back-up your entire hard drive. Encrypt the back-up drive. • Mobile devices – encrypt with passcode. Activate Locate and Wipe features • Bring your Own Device – Need written policies • Written HIPAA policies. • Enforcement.

  10. DATA PROTECTION • Short timeouts for computer monitors • Set up password timeout • Consider privacy screens for monitor • For office and laptops • Email Attachments • Pause before you hit Send • Double check email address, and correct attachment • Don’t send information you don’t have to • Practice “safe” faxing

  11. EMAIL • Patient can request email communication as long as they are informed it is not secure . Not optimal. • Informal communication- keep your “professional” hat on • There is no “un-send” button • Use Email Encryption Service • Sendinc $4 / Month • Safe Gmail • Hush Mail • Poor Man’s Method – Encrypt the attachment • Word • Adobe Acrobat – Full Version

  12. CELL PHONES • Cell phone signal is encrypted… Mostly… • Wireless Home Phones • Analog v. DSS / DECT • Oregon Is A “One Party” Consent State • Use Strong Pass Codes With Short Time Out Cycle • Use “SAFE” Talking Techniques • Wipe Data Before Recycling

  13. COMPUTERS SECURITY Security First • Anti – Virus • Malware • Website Protection Encrypt Entire Hard-Drive • Do Not Put Encryption Password on Post-It Note • Consider using Fingerprint Scanner • Wireless Network / Internet (VPN) • Secure Networks Only (Password Required) • Use Locked Screen Saver • Emails • Wipe Before Recycling

  14. COPIERS / SCANNERS Multi-Function Printers / Scanners / Copiers • May Retain Information • Wipe Before Recycling • Factory reset? TABLETS • Strong Pass code with short timeout • Remote Location – Remote Wipe • Public WiFi – Use VPN

  15. HIPAA BREACH NOTIFICATION • BREACH – Presume there has been a breach • Lost Data • Unauthorized Access • Must Perform Investigation • Must Attempt to Mitigate Potential Harm HERE IS THE ANSWER CALL (503)607-2711

  16. HIPAA BREACH NOTIFICATION RULES (45 C.F.R. 164.400-414) • Tsunami of Terribles • Over 500 Records breached • Notify All Patients Involved • Notify All Media Outlets • Notify Office of Civil Rights • 60 Day Deadline • Prepare Your Written Policies TREAT ALL BREACHES SERIOUSLY. THEY MUST BE INVESTIGATED.

  17. BOARD COMPLAINT / MALPRACTICE • Report Data Breaches to the Board • Lost or missing records can affect board complaints/malpractice lawsuits • Breach of confidentiality is an Ethical violation • Failure to maintain records may be an Ethical Violation

  18. SOCIAL MEDIA “This evaluator is terrible. She is late and cancels all the time. When she does show up she is dressed innapropiatly. She will make you take tests that Are not revalent to the evaluation and not typically uses in child custody evaluations to rack up an bill. The woman is not concerned about the best interest of your child she only cares about her pocket book. With all that she will book late evening appointments over the phone not even in person which you will have no way to accurately go over your parenting concerns. “ “Horrible evaluator, canceles appointments repetedly, dresses inappropiatlyshort tight skirts and no underwear. Office smells like cat pee and poo. She lies,contradicts herself and has gotten talking about her own childhood issues. Shedoes not care about the best interests of the children and makes biased reports. he is an obvious hired gun who does not keep things neutral and unbiased.“

  19. SOCIAL MEDIA • Have Social Media policies for your employees • Friend requests on Facebook • Clients stalking on Facebook • Facebook Messenger • Social media posts about work or clients • Blogs – May clients follow your blog? • Policy on following client blogs • Use of Google on clients • Online review sites • Soliciting testimonials from current clients • Responding to reviews

  20. TELE-MENTAL HEALTH • Inside Oregon, probably OK • Oregon Distance Counseling Admin Rules • Crossing State lines – problematic • Do you need to be licensed in the other state? • Telephone vs. Video • Skype – problematic • VSEE – probably OK • Thera-Link – Probably OK • Doxy.Me – probably OK • Billing issues – Use the right billing code

  21. Distance Counseling - Oregon • 833-090-0040 • Technology and Informed Consent • (1) Professional Disclosure Statement • (2) Licensees must inform clients of the benefits and limitations of distance service delivery, including: • (a) Issues related to the difficulty of maintaining the confidentiality of electronically transmitted communications; • (b) Names of colleagues, supervisors, and employees, such as Informational Technology (IT) administrators, who may have authorized or unauthorized access to electronic transmissions; • (c) The risks of all authorized or unauthorized people who have access to any technology clients may use in the counseling process. This includes family members, friends, acquaintances, and fellow employees; • (d) Limitations governing the practice of the LPC or LMFT profession in the State of Oregon, including that the laws and statutes regarding the practice of professional counseling and marriage and family therapy differ from state-to-state; • (e) Contact information and alternate methods of contact in case of technology failure; and • (f) Emergency procedures for situations when the counselor is not available.

  22. Distance Counseling • 833-090-0010 • Technology-Assisted Services • (1) When providing technology-assisted distance counseling services, licensees must: • (a) Use secure web sites and e-mail communications to help ensure confidentiality; • (b) Determine that technology-assisted services are appropriate, available, and meets the needs of the particular client; and • (c) Have a working knowledge of the particular technology used to meet the needs of clients. • (d) Conduct due diligence in confirming the identity of potential clients. • (2) When the use of encryption is not possible, limit electronic transmissions to general communications that are not client specific.

  23. In Conclusion • Protecting digital Data is not that difficult • Consult with professionals to set up protections • Treat all breaches seriously • Take steps to mitigate • Document your investigation • Ongoing duty to evaluate risks • Train your employees • Know who to call (503)607-2711 • Its not too late for Dental School!

More Related