1 / 65

HIPAA Update: Social Media, Audits & Enforcement

HIPAA Update: Social Media, Audits & Enforcement. By LYNDA M. JOHNSON. HIPAA and Social Media With new technology comes new problems!!.

verab
Download Presentation

HIPAA Update: Social Media, Audits & Enforcement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Update: Social Media, Audits & Enforcement By LYNDA M. JOHNSON

  2. HIPAA and Social Media With new technology comes new problems!!

  3. Two paramedic students working in the ED in Florida as part of their training took digital photos of a patient who had been attacked by a shark and e-mailed the photos to several friends.

  4. A Chicago physician, on his blog, called a patient “lazy” and “ignorant” because she had made several visits to the ED after failing to monitor her sugar level.

  5. A medical student filmed a doctor inserting a chest tube into a patient, whose face was clearly visible, and posted the footage on You Tube.

  6. A nurse did not think twice about posting on her Facebook page that she had treated a “cop killer” the day following many news accounts named the accused shooter and the hospital where he was treated.

  7. If only these individuals had taken some time and used the “Coffee Shop Test” before posting the information: If you wouldn’t talk about it with a friend in a coffee shop, then it’s not appropriate to talk about it online (and it’s never ok to talk about specific patients with a friend in a coffee shop).

  8. Let’s talk about this hypothetical situation: Nurse Mary, using her personal Iphone, after work hours, posts on her Facebook page (after describing her daughter’s soccer game and shopping outing earlier that day) the following: “I met (Famous Football Player) today!! Such a nice guy! Not bad on the eyes too!” Later that same day, in response to a “Friend’s” question, Mary responded: “He came in for a broken arm.” Meanwhile, one of Mary’s Friends, “Susan,” responded to Mary’s original post with a simple “Likes” reply.

  9. It is important for you to know: Mary’s Profile states that she is a Registered Nurse who works in the Orthopedics Department of Large Hospital System in Anytown, USA; and Among her “Friends” is a co-worker, “Susan,” a Physical Therapist who works in the same Department of the same Hospital. Susan’s Profile also states her profession and her place of work.

  10. Around 90 days later, Large Hospital System receives a letter from the Office for Civil Rights advising that it received an anonymous complaint alleging that it was not in compliance with the HIPAA Privacy Standards and, more specifically that Mary had impermissibly disclosed protected health information of individuals who were patients of the Hospital’s Orthopedics Department. Specifically, it is alleged that Mary posted PHI on her Facebook page related to the patient status and medical condition of “Famous Football Player.”

  11. Was this a HIPAA violation?

  12. The “general” rule is that, under HIPAA, a Covered Entity (or Business Associate) may not use or disclose PHI except as permitted or required by the Privacy Rules. Facebook and other social media posts, like verbal “gossip” about patients are electronic forms of PHI if patients are identified by name (or otherwise) and the context of the posts says something about the medical condition or patient status of the individual. In the “Mary” hypothetical, this would be a HIPAA violation.

  13. Some other actual situations that have been reported by the National Council of State Boards of Nursing: (Refer to Hand-Out)

  14. Now let’s talk about some lawsuits: In late December of 2013, a patient who was seen at the ED of Northwestern Memorial Hospital in Chicago sued the Hospital, the Feinberg School of Medicine and the physician who treated her, after the physician posted pictures of the drunk patient to social media. She is seeking $1.5 million in damages. The patient is an actress, model and ex-professional tennis player from Russia who claims that the postings damaged her future career prospects and caused her emotional distress. In posting the pictures, the physician invited friends for rooftop cocktails across the street from the ED where the patient was admitted for alcohol poisoning.

  15. Walgreens was ordered to pay $1.44 million in a lawsuit brought against it for a violation of HIPAA by one of its pharmacist employees. The pharmacist looked up the medical records of her husband’s ex-girlfriend, who she suspected gave her husband an STD. She found what she was looking for, told her husband about it, and he then sent a text message to the ex and told her he knew all about the results. The ex figured out how the husband found out about the results and filed the lawsuit, not against the pharmacist, but against the deep-pocket, Walgreens. The jury decided that Walgreens was responsible for 80% of the verdict. ( I guess that means the total verdict was $1.8 million.) Walgreens said it will appeal. But wait, HIPAA does not allow a private right of action, so how did this lawsuit proceed? It was brought under common law theories of invasion of privacy, negligence and professional malpractice. Walgreens was not sued for violating HIPAA, however, the HIPAA violation by Walgreen’s employee was used to show that Walgreens was negligent.

  16. Common Myths and Misunderstandings of Social Media: A mistaken belief that the communication or post is private and accessible only to the intended recipient. A mistaken belief that content that has been deleted from a site is no longer accessible. A mistaken belief that it is harmless if patient information is disclosed if the communication is accessed only by the intended recipient. This is still a HIPAA violation if the intended recipient is an unauthorized individual.

  17. Common Myths and Misunderstandings of Social Media: A mistaken belief that it is acceptable to discuss or refer to patients if they are not identified by name, but referred to by a nickname, room number, diagnosis or condition.

  18. Common Myths and Misunderstandings of Social Media: Confusion between a patient’s right to disclose personal information about himself/herself and the obligation of a health care provider to refrain from disclosing such information unless it is related to treatment, payment or healthcare operations. The ease of posting and commonplace nature of sharing information via social media may appear to blur the line between one’s personal and professional lives.

  19. HIPAA Audits

  20. OCR to Begin Phase 2 of HIPAA Audit Program The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

  21. Phase 1 Audit Findings • OCR audited 115 covered entities under the Phase 1 Audit program, with the following aggregate results: • There were no findings or observations for only 11% of the covered entities audited; • Despite representing just more than half of the audited entities (53%), health care providers were responsible for 65% of the total findings and observations; • The smallest covered entities were found to struggle with compliance under all three of the HIPAA Standards;

  22. Greater than 60% of the findings or observations were Security Standard violations, and 58 of 59 audited health care provider covered entities had at least one Security Standard finding or observation even though the Security Standards represented only 28% of the total audit items; • Greater than 39% of the findings and observations related to the Privacy Standards were attributed to a lack of awareness of the applicable Privacy Standard requirement; and • Only 10% of the findings and observations were attributable to a lack of compliance with the Breach Notification Standards.

  23. The Phase 2 Audit Program • OCR will audit approximately 150 covered entities and 50 business associates for compliance with the Security Standards, 100 covered entities for compliance with the Privacy Standards and 100 covered entities for compliance with the Breach Notification Standards. • These audits will be “desk audits.” • Covered entities and business associates will have two weeks to respond to OCR’s audit request. • OCR will only consider documentation that is submitted on time.

  24. The Phase 2 Audits will target HIPAA Standards that were sources of high numbers of non-compliance in the Phase 1 Audits, including: • risk analysis and risk management; • content and timeliness of breach notifications; • notice of privacy practices; • individual access; • Privacy Standards’ reasonable safeguards requirement; • training on policies and procedures; • device and media controls; and • transmission security.

  25. OCR also projects that Phase 2 Audits in 2016 will focus on the Security Standards: • encryption and decryption requirements; • facility access controls; • breach reports and complaints; and • other areas identified by earlier Phase 2 Audits. • Phase 2 Audits of business associates will focus on: • risk analysis; • risk management; and • breach reporting to covered entities.

  26. What Should You Do to Prepare for the Phase 2 Audits? • Covered entities and business associates should take the following steps to ensure that they are prepared for a potential Phase 2 Audit: • Confirm that the organization has recently completed a comprehensive assessment of potential security risks and vulnerabilities to the organization (the Risk Assessment); • Confirm that all action items identified in the Risk Assessment have been completed or are on a reasonable timeline to completion; • Ensure that the organization has a complete inventory of business associates for purposes of the Phase 2 Audit data requests;

  27. What Should You Do to Prepare for the Phase 2 Audits? • If the organization has not implemented any of the Security Standards’ addressable implementation standards for any of its information systems, confirm that the organization has documented: (i) why any such addressable implementation standard was not reasonable and appropriate and (ii) all alternative security measures that were implemented; • Ensure that the organization has implemented a breach notification policy that accurately reflects the content and deadline requirements for breach notification under the Breach Notification Standards;

  28. What Should You Do to Prepare for the Phase 2 Audits? • Health care provider and health plan covered entities should ensure that they have a compliant Notice of Privacy Practices and not just a website privacy notice; • Ensure that the organization has reasonable and appropriate safeguards in place for PHI that exists in any form, including paper and verbal PHI; • Confirm that workforce members have received training on the HIPAA Standards that are necessary or appropriate for a workforce member to perform his/her job duties; • Confirm that the organization maintains an inventory of information system assets, including mobile devices (even in a bring your own device environment);

  29. What Should You Do to Prepare for the Phase 2 Audits? • Confirm that all systems and software that transmit electronic PHI employ encryption technology or that the organization has a documented risk analysis supporting the decision not to employ encryption; • Confirm that the organization has adopted a facility security plan for each physical location that stores or otherwise has access to PHI, in addition to a security policy that requires a physical security plan; and • Review the organization’s HIPAA security policies to identify any actions that have not been completed as required (e.g., physical security plans, disaster recovery plan, emergency access procedures, etc.)

  30. The OCR Audit Protocol for the Phase 2 Audits is posted on the OCR website. It is 67 pages long!

  31. HIPAA Enforcement Since the compliance date of the Privacy Rule in April 2003, OCR has received over 106,522 HIPAA complaints and has initiated over 1,183 compliance reviews. OCR has resolved ninety-five percent of these cases.

  32. HIPAA Enforcement OCR has investigated and resolved over 23,314 cases by requiring changes in privacy practices and corrective actions or providing technical assistance to, HIPAA covered entities and their business associates.

  33. HIPAA Enforcement In another 10,566 cases, OCR investigations found no violation had occurred.

  34. HIPAA Enforcement Additionally, in 7,883 cases, OCR has intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation.

  35. HIPAA Enforcement • In the rest of the completed cases, (68,412) OCR determined that the complaint did not present an eligible case for enforcement. These include cases in which: • OCR lacks jurisdiction under HIPAA. For example, in cases alleging a violation by an entity not covered by HIPAA;

  36. HIPAA Enforcement • The complaint is untimely, or withdrawn by the filer. • The activity described does not violate the HIPAA Rules. For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure.

  37. HIPAA Enforcement From the compliance date to December 31, 2014, the compliance issues investigated most are, in order of frequency: Impermissible uses and disclosures of protected health information; Lack of safeguards of protected health information;

  38. HIPAA Enforcement Lack of patient access to their protected health information; Lack of administrative safeguards of electronic protected health information; and Use or disclosure of more than the minimum necessary protected health information.

  39. HIPAA Enforcement The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: Private Physician Practices; General Hospitals;

  40. HIPAA Enforcement Outpatient Facilities; Pharmacies; and Health Plans (group health plans and health insurance issuers)

  41. Security Rule Enforcement Since OCR began reporting enforcement of the security rule in October of 2009, they have received 940 complaints. 689 complaints have been resolved. As of August 31, 2014, 316 of these complaints remain outstanding.

  42. Referrals to Department of Justice As of December 31, 2014, OCR has referred 543 cases to the Department of Justice for criminal investigation involving violations of the HIPAA Privacy Regs.

  43. OCR Case Settlements Hospital Implements New Minimum Necessary Polices for Telephone Messages A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan.

  44. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patient’s home telephone number, despite the patient’s instructions to contact her through her work number.

  45. Hospital was required to: Only leave “minimum necessary” info in messages; Train employees on what “minimum necessary” info they were allowed to leave on message;

  46. Train employees on reviewing patient contact directives with patients during registration; and These new procedures were incorporated into new employee and yearly compliance training.

  47. OCR Case Settlements Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the complainant’s medical condition.

  48. The local newspaper then featured on its front page the individual’s x-ray and an article that included the date of the accident, the location of the accident, the patient’s gender, a description of patient’s medical condition, and numerous quotes from the hospital about such unusual sporting accidents.

  49. The hospital asserted that the disclosures were made to avert a serious threat to health or safety; however, OCR’s investigation indicated that the disclosures did not meet the Privacy Rule’s standard for such actions.

  50. The investigation also indicated that the disclosures did not meet the Rule’s de-identification standard and therefore were not permissible without the individual’s authorization. Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy.

More Related