hipaa update: social media, audits & enforcement by lynda m. johnson 1

HIPAA Update:HIPAA Update:

Social Media, Audits & Social Media, Audits & Enforcement Enforcement

ByBy

LYNDA M. JOHNSONLYNDA M. JOHNSON

11

HIPAA and Social HIPAA and Social MediaMedia

With new technology comes new With new technology comes new problems!!problems!!

22

Two paramedic students working in Two paramedic students working in the ED in Florida as part of their the ED in Florida as part of their training took digital photos of a training took digital photos of a patient who had been attacked by a patient who had been attacked by a shark and e-mailed the photos to shark and e-mailed the photos to several friends.several friends.

33

A Chicago physician, on his blog, A Chicago physician, on his blog, called a patient “lazy” and called a patient “lazy” and “ignorant” because she had made “ignorant” because she had made several visits to the ED after failing several visits to the ED after failing to monitor her sugar level.to monitor her sugar level.

44

A medical student filmed a doctor A medical student filmed a doctor inserting a chest tube into a patient, inserting a chest tube into a patient, whose face was clearly visible, and whose face was clearly visible, and posted the footage on You Tube.posted the footage on You Tube.

55

A nurse did not think twice about A nurse did not think twice about posting on her Facebook page that posting on her Facebook page that she had treated a “cop killer” the she had treated a “cop killer” the day following many news accounts day following many news accounts named the accused shooter and the named the accused shooter and the hospital where he was treated.hospital where he was treated.

66

If only these individuals had taken If only these individuals had taken some time and used the “Coffee Shop some time and used the “Coffee Shop Test” before posting the Test” before posting the information: information: If you wouldn’t talk If you wouldn’t talk about it with a friend in a coffee about it with a friend in a coffee shop, then it’s not appropriate to shop, then it’s not appropriate to talk about it online (and it’s never ok talk about it online (and it’s never ok to talk about specific patients with a to talk about specific patients with a friend in a coffee shop).friend in a coffee shop).

77

Let’s talk about this hypothetical situation:Let’s talk about this hypothetical situation:

Nurse Mary, using her personal Iphone, after Nurse Mary, using her personal Iphone, after work hours, posts on her Facebook page (after work hours, posts on her Facebook page (after describing her daughter’s soccer game and describing her daughter’s soccer game and shopping outing earlier that day) the following: shopping outing earlier that day) the following: “I met (Famous Football Player) today!! Such a “I met (Famous Football Player) today!! Such a nice guy! Not bad on the eyes too!” Later that nice guy! Not bad on the eyes too!” Later that same day, in response to a “Friend’s” question, same day, in response to a “Friend’s” question, Mary responded: “He came in for a broken Mary responded: “He came in for a broken arm.” Meanwhile, one of Mary’s Friends, arm.” Meanwhile, one of Mary’s Friends, “Susan,” responded to Mary’s original post with “Susan,” responded to Mary’s original post with a simple “Likes” reply.a simple “Likes” reply.

88

It is important for you to know:It is important for you to know:

1.1. Mary’s Profile states that she is a Mary’s Profile states that she is a Registered Nurse who works in the Registered Nurse who works in the Orthopedics Department of Large Orthopedics Department of Large Hospital System in Anytown, USA; and Hospital System in Anytown, USA; and

2.2. Among her “Friends” is a co-worker, Among her “Friends” is a co-worker, “Susan,” a Physical Therapist who works “Susan,” a Physical Therapist who works in the same Department of the same in the same Department of the same Hospital. Susan’s Profile also states her Hospital. Susan’s Profile also states her profession and her place of work.profession and her place of work.

99

Around 90 days later, Large Hospital System Around 90 days later, Large Hospital System receives a letter from the Office for Civil Rights receives a letter from the Office for Civil Rights advising that it received an anonymous advising that it received an anonymous complaint alleging that it was not in compliance complaint alleging that it was not in compliance with the HIPAA Privacy Standards and, more with the HIPAA Privacy Standards and, more specifically that Mary had impermissibly specifically that Mary had impermissibly disclosed protected health information of disclosed protected health information of individuals who were patients of the Hospital’s individuals who were patients of the Hospital’s Orthopedics Department. Specifically, it is Orthopedics Department. Specifically, it is alleged that Mary posted PHI on her Facebook alleged that Mary posted PHI on her Facebook page related to the patient status and medical page related to the patient status and medical condition of “Famous Football Player.”condition of “Famous Football Player.”

1010

Was this a HIPAA violation? Was this a HIPAA violation?

1111

The “general” rule is that, under HIPAA, a The “general” rule is that, under HIPAA, a Covered Entity (or Business Associate) may Covered Entity (or Business Associate) may not use or disclose PHI except as permitted or not use or disclose PHI except as permitted or required by the Privacy Rules. Facebook and required by the Privacy Rules. Facebook and other social media posts, like verbal “gossip” other social media posts, like verbal “gossip” about patients are electronic forms of PHI if about patients are electronic forms of PHI if patients are identified by name (or otherwise) patients are identified by name (or otherwise) and the context of the posts says something and the context of the posts says something about the medical condition or patient status about the medical condition or patient status of the individual. In the “Mary” hypothetical, of the individual. In the “Mary” hypothetical, this would be a HIPAA violation.this would be a HIPAA violation.

1212

Some other actual situations that have Some other actual situations that have been reported by the National Council been reported by the National Council of State Boards of Nursing:of State Boards of Nursing:

(Refer to Hand-Out)(Refer to Hand-Out)

1313

Now let’s talk about some lawsuits:Now let’s talk about some lawsuits:

In late December of 2013, a patient who was seen at the ED In late December of 2013, a patient who was seen at the ED of Northwestern Memorial Hospital in Chicago sued the of Northwestern Memorial Hospital in Chicago sued the Hospital, the Feinberg School of Medicine and the Hospital, the Feinberg School of Medicine and the physician who treated her, after the physician posted physician who treated her, after the physician posted pictures of the drunk patient to social media. She is pictures of the drunk patient to social media. She is seeking $1.5 million in damages. The patient is an actress, seeking $1.5 million in damages. The patient is an actress, model and ex-professional tennis player from Russia who model and ex-professional tennis player from Russia who claims that the postings damaged her future career claims that the postings damaged her future career prospects and caused her emotional distress. In posting the prospects and caused her emotional distress. In posting the pictures, the physician invited friends for rooftop cocktails pictures, the physician invited friends for rooftop cocktails across the street from the ED where the patient was across the street from the ED where the patient was admitted for alcohol poisoning.admitted for alcohol poisoning.

1414

Walgreens was ordered to pay $1.44 million in a lawsuit brought Walgreens was ordered to pay $1.44 million in a lawsuit brought against it for a violation of HIPAA by one of its pharmacist against it for a violation of HIPAA by one of its pharmacist employees. The pharmacist looked up the medical records of her employees. The pharmacist looked up the medical records of her husband’s ex-girlfriend, who she suspected gave her husband an husband’s ex-girlfriend, who she suspected gave her husband an STD. She found what she was looking for, told her husband about STD. She found what she was looking for, told her husband about it, and he then sent a text message to the ex and told her he knew all it, and he then sent a text message to the ex and told her he knew all about the results. The ex figured out how the husband found out about the results. The ex figured out how the husband found out about the results and filed the lawsuit, not against the pharmacist, about the results and filed the lawsuit, not against the pharmacist, but against the deep-pocket, Walgreens. The jury decided that but against the deep-pocket, Walgreens. The jury decided that Walgreens was responsible for 80% of the verdict. ( I guess that Walgreens was responsible for 80% of the verdict. ( I guess that means the total verdict was $1.8 million.) Walgreens said it will means the total verdict was $1.8 million.) Walgreens said it will appeal. But wait, HIPAA does not allow a private right of action, so appeal. But wait, HIPAA does not allow a private right of action, so how did this lawsuit proceed?how did this lawsuit proceed?

It was brought under common law theories of invasion of privacy, It was brought under common law theories of invasion of privacy, negligence and professional malpractice. Walgreens was not sued negligence and professional malpractice. Walgreens was not sued for violating HIPAA, however, the HIPAA violation by Walgreen’s for violating HIPAA, however, the HIPAA violation by Walgreen’s employee was used to show that Walgreens was negligent.employee was used to show that Walgreens was negligent.

1515

Common Myths and Misunderstandings of Common Myths and Misunderstandings of Social Media:Social Media:

1.1. A mistaken belief that the communication or A mistaken belief that the communication or post is private and accessible only to the post is private and accessible only to the intended recipient.intended recipient.

2.2. A mistaken belief that content that has been A mistaken belief that content that has been deleted from a site is no longer accessible.deleted from a site is no longer accessible.

3.3. A mistaken belief that it is harmless if patient A mistaken belief that it is harmless if patient information is disclosed if the communication information is disclosed if the communication is accessed only by the intended recipient. is accessed only by the intended recipient. This is still a HIPAA violation if the intended This is still a HIPAA violation if the intended recipient is an unauthorized individual.recipient is an unauthorized individual.

16


4.4. A mistaken belief that it is acceptable to A mistaken belief that it is acceptable to discuss or refer to patients if they are not discuss or refer to patients if they are not identified by name, but referred to by a identified by name, but referred to by a nickname, room number, diagnosis or nickname, room number, diagnosis or condition.condition.

17


5.5. Confusion between a patient’s right to Confusion between a patient’s right to disclose personal information about disclose personal information about himself/herself and the obligation of a health himself/herself and the obligation of a health care provider to refrain from disclosing such care provider to refrain from disclosing such information unless it is related to treatment, information unless it is related to treatment, payment or healthcare operations.payment or healthcare operations.

6.6. The ease of posting and commonplace nature The ease of posting and commonplace nature of sharing information via social media may of sharing information via social media may appear to blur the line between one’s personal appear to blur the line between one’s personal and professional lives.and professional lives.

18

HIPAA AuditsHIPAA Audits

1919

OCR to Begin Phase 2 of OCR to Begin Phase 2 of HIPAA Audit ProgramHIPAA Audit Program

The U.S. Department of Health and The U.S. Department of Health and Human Services’ Office for Civil Human Services’ Office for Civil Rights (OCR) will soon begin a Rights (OCR) will soon begin a second phase of audits (Phase 2 second phase of audits (Phase 2 Audits) of compliance with Health Audits) of compliance with Health Insurance Portability and Insurance Portability and Accountability Act of 1996 (HIPAA) Accountability Act of 1996 (HIPAA) privacy, security and breach privacy, security and breach notification standards (HIPAA notification standards (HIPAA Standards) as required by the Standards) as required by the Health Information Technology for Health Information Technology for Economic and Clinical Health Economic and Clinical Health (HITECH) Act. (HITECH) Act.

2020

Phase 1 Audit FindingsPhase 1 Audit Findings

OCR audited 115 covered entities under OCR audited 115 covered entities under the Phase 1 Audit program, with the the Phase 1 Audit program, with the following aggregate results:following aggregate results:

There were no findings or observations There were no findings or observations for only 11% of the covered entities for only 11% of the covered entities audited;audited;Despite representing just more than Despite representing just more than half of the audited entities (53%), health half of the audited entities (53%), health care providers were responsible for 65% care providers were responsible for 65% of the total findings and observations;of the total findings and observations;The smallest covered entities were The smallest covered entities were found to struggle with compliance under found to struggle with compliance under all three of the HIPAA Standards;all three of the HIPAA Standards; 2121

Greater than 60% of the findings or Greater than 60% of the findings or observations were Security Standard observations were Security Standard violations, and 58 of 59 audited health violations, and 58 of 59 audited health care provider covered entities had at care provider covered entities had at least one Security Standard finding or least one Security Standard finding or observation even though the Security observation even though the Security Standards represented only 28% of the Standards represented only 28% of the total audit items;total audit items;

Greater than 39% of the findings and Greater than 39% of the findings and observations related to the Privacy observations related to the Privacy Standards were attributed to a lack of Standards were attributed to a lack of awareness of the applicable Privacy awareness of the applicable Privacy Standard requirement; andStandard requirement; and

Only 10% of the findings and Only 10% of the findings and observations were attributable to a observations were attributable to a lack of compliance with the Breach lack of compliance with the Breach Notification Standards.Notification Standards.

2222

The Phase 2 Audit The Phase 2 Audit ProgramProgram OCR will audit approximately 150 OCR will audit approximately 150

covered entities and 50 business covered entities and 50 business associates for compliance with the associates for compliance with the Security Standards, 100 covered Security Standards, 100 covered entities for compliance with the entities for compliance with the Privacy Standards and 100 covered Privacy Standards and 100 covered entities for compliance with the entities for compliance with the Breach Notification Standards. Breach Notification Standards.

These audits will be “desk audits.” These audits will be “desk audits.” Covered entities and business Covered entities and business

associates will have two weeks to associates will have two weeks to respond to OCR’s audit request.respond to OCR’s audit request.

OCR will only consider documentation OCR will only consider documentation that is submitted on time.that is submitted on time.

2323

The Phase 2 Audits will target HIPAA The Phase 2 Audits will target HIPAA Standards that were sources of high Standards that were sources of high numbers of non-compliance in the Phase numbers of non-compliance in the Phase 1 Audits, including: 1 Audits, including:

risk analysis and risk management; risk analysis and risk management; content and timeliness of breach content and timeliness of breach notifications; notifications; notice of privacy practices; notice of privacy practices; individual access; individual access; Privacy Standards’ reasonable Privacy Standards’ reasonable safeguards requirement; safeguards requirement; training on policies and procedures; training on policies and procedures; device and media controls; and device and media controls; and transmission security. transmission security. 2424

OCR also projects that Phase 2 Audits OCR also projects that Phase 2 Audits in 2016 will focus on the Security in 2016 will focus on the Security Standards: Standards:

encryption and decryption encryption and decryption requirements;requirements;facility access controls; facility access controls; breach reports and complaints; and breach reports and complaints; and other areas identified by earlier other areas identified by earlier Phase 2 Audits. Phase 2 Audits.

Phase 2 Audits of business associates Phase 2 Audits of business associates will focus on:will focus on:

risk analysis; risk analysis; risk management; and risk management; and breach reporting to covered breach reporting to covered entities.entities.

2525

What Should You Do to Prepare What Should You Do to Prepare for the Phase 2 Audits?for the Phase 2 Audits?

Covered entities and business associates Covered entities and business associates should take the following steps to ensure should take the following steps to ensure that they are prepared for a potential Phase 2 that they are prepared for a potential Phase 2 Audit:Audit:

Confirm that the organization has recently Confirm that the organization has recently completed a comprehensive assessment of completed a comprehensive assessment of potential security risks and vulnerabilities to potential security risks and vulnerabilities to the organization (the Risk Assessment);the organization (the Risk Assessment);Confirm that all action items identified in Confirm that all action items identified in the Risk Assessment have been completed or the Risk Assessment have been completed or are on a reasonable timeline to completion;are on a reasonable timeline to completion;Ensure that the organization has a complete Ensure that the organization has a complete inventory of business associates for purposes inventory of business associates for purposes of the Phase 2 Audit data requests;of the Phase 2 Audit data requests;

2626


If the organization has not implemented If the organization has not implemented any of the Security Standards’ any of the Security Standards’ addressable implementation standards addressable implementation standards for any of its information systems, for any of its information systems, confirm that the organization has confirm that the organization has documented: (i) why any such documented: (i) why any such addressable implementation standard addressable implementation standard was not reasonable and appropriate and was not reasonable and appropriate and (ii) all alternative security measures that (ii) all alternative security measures that were implemented;were implemented;

Ensure that the organization has Ensure that the organization has implemented a breach notification policy implemented a breach notification policy that accurately reflects the content and that accurately reflects the content and deadline requirements for breach deadline requirements for breach notification under the Breach Notification notification under the Breach Notification Standards;Standards;

2727


Health care provider and health plan Health care provider and health plan covered entities should ensure that they covered entities should ensure that they have a compliant Notice of Privacy have a compliant Notice of Privacy Practices and not just a website privacy Practices and not just a website privacy notice;notice;

Ensure that the organization has Ensure that the organization has reasonable and appropriate safeguards in reasonable and appropriate safeguards in place for PHI that exists in any form, place for PHI that exists in any form, including paper and verbal PHI;including paper and verbal PHI;

Confirm that workforce members have Confirm that workforce members have received training on the HIPAA Standards received training on the HIPAA Standards that are necessary or appropriate for a that are necessary or appropriate for a workforce member to perform his/her job workforce member to perform his/her job duties;duties;

Confirm that the organization maintains Confirm that the organization maintains an inventory of information system an inventory of information system assets, including mobile devices (even in assets, including mobile devices (even in a bring your own device environment);a bring your own device environment);

2828


Confirm that all systems and software Confirm that all systems and software that transmit electronic PHI employ that transmit electronic PHI employ encryption technology or that the encryption technology or that the organization has a documented risk organization has a documented risk analysis supporting the decision not to analysis supporting the decision not to employ encryption;employ encryption;

Confirm that the organization has Confirm that the organization has adopted a facility security plan for each adopted a facility security plan for each physical location that stores or otherwise physical location that stores or otherwise has access to PHI, in addition to a has access to PHI, in addition to a security policy that requires a physical security policy that requires a physical security plan; andsecurity plan; and

Review the organization’s HIPAA security Review the organization’s HIPAA security policies to identify any actions that have policies to identify any actions that have not been completed as required (e.g., not been completed as required (e.g., physical security plans, disaster recovery physical security plans, disaster recovery plan, emergency access procedures, etc.)plan, emergency access procedures, etc.)

2929

The OCR Audit Protocol for The OCR Audit Protocol for the Phase 2 Audits is posted the Phase 2 Audits is posted on the OCR website. It is 67 on the OCR website. It is 67 pages long! pages long!

3030

HIPAA EnforcementHIPAA Enforcement

Since the compliance date of Since the compliance date of the Privacy Rule in April 2003, the Privacy Rule in April 2003, OCR has received over OCR has received over 106,522 HIPAA complaints and 106,522 HIPAA complaints and has initiated over 1,183 has initiated over 1,183 compliance reviews. OCR has compliance reviews. OCR has resolved ninety-five percent of resolved ninety-five percent of these cases.these cases.

3131


OCR has investigated and OCR has investigated and resolved over 23,314 cases by resolved over 23,314 cases by requiring changes in privacy requiring changes in privacy practices and corrective practices and corrective actions or providing technical actions or providing technical assistance to, HIPAA covered assistance to, HIPAA covered entities and their business entities and their business associates. associates.

3232


In another 10,566 cases, In another 10,566 cases, OCR investigations found no OCR investigations found no violation had occurred.violation had occurred.

3333


Additionally, in 7,883 cases, Additionally, in 7,883 cases, OCR has intervened early OCR has intervened early and provided technical and provided technical assistance to HIPAA covered assistance to HIPAA covered entities, their business entities, their business associates, and individuals associates, and individuals exercising their rights under exercising their rights under the Privacy Rule, without the Privacy Rule, without the need for an the need for an investigation.investigation.

3434


In the rest of the completed In the rest of the completed cases, (68,412) OCR cases, (68,412) OCR determined that the complaint determined that the complaint did not present an eligible case did not present an eligible case for enforcement. These include for enforcement. These include cases in which:cases in which:

OCR lacks jurisdiction under OCR lacks jurisdiction under HIPAA. For example, in cases HIPAA. For example, in cases alleging a violation by an entity alleging a violation by an entity not covered by HIPAA;not covered by HIPAA; 3535


The complaint is untimely, or The complaint is untimely, or withdrawn by the filer. withdrawn by the filer.

The activity described does The activity described does not violate the HIPAA Rules. not violate the HIPAA Rules. For example, in cases where For example, in cases where the covered entity has the covered entity has disclosed protected health disclosed protected health information in circumstances information in circumstances in which the Privacy Rule in which the Privacy Rule permits such a disclosure.permits such a disclosure.

3636


From the compliance date to From the compliance date to December 31, 2014, the December 31, 2014, the compliance issues compliance issues investigated most are, in investigated most are, in order of frequency:order of frequency:

1.1.Impermissible uses and Impermissible uses and disclosures of protected disclosures of protected health information;health information;

2.2.Lack of safeguards of Lack of safeguards of protected health information;protected health information;

3737


3.3.Lack of patient access to their Lack of patient access to their protected health information;protected health information;

4.4.Lack of administrative Lack of administrative safeguards of electronic safeguards of electronic protected health information; protected health information; andand

5.5.Use or disclosure of more Use or disclosure of more than the minimum necessary than the minimum necessary protected health information.protected health information. 3838


The most common types of The most common types of covered entities that have been covered entities that have been required to take corrective required to take corrective action to achieve voluntary action to achieve voluntary compliance are, in order of compliance are, in order of frequency:frequency:

1.1.Private Physician Practices;Private Physician Practices;

2.2.General Hospitals;General Hospitals;3939


3.3.Outpatient Facilities;Outpatient Facilities;

4.4.Pharmacies; andPharmacies; and

5.5.Health Plans (group health Health Plans (group health plans and health insurance plans and health insurance issuers)issuers)

4040

Security Rule Security Rule EnforcementEnforcement

Since OCR began reporting Since OCR began reporting enforcement of the security enforcement of the security rule in October of 2009, they rule in October of 2009, they have received 940 complaints. have received 940 complaints. 689 complaints have been 689 complaints have been resolved. As of August 31, resolved. As of August 31, 2014, 316 of these complaints 2014, 316 of these complaints remain outstanding. remain outstanding.

4141

Referrals to Department Referrals to Department of Justiceof Justice

As of December 31, 2014, OCR As of December 31, 2014, OCR has referred 543 cases to the has referred 543 cases to the Department of Justice for Department of Justice for criminal investigation involving criminal investigation involving violations of the HIPAA Privacy violations of the HIPAA Privacy Regs. Regs.

4242

OCR Case SettlementsOCR Case Settlements

Hospital Implements New Hospital Implements New Minimum Necessary Polices for Minimum Necessary Polices for Telephone MessagesTelephone Messages

A hospital employee did not A hospital employee did not observe minimum necessary observe minimum necessary requirements when she left a requirements when she left a telephone message with the telephone message with the daughter of a patient that daughter of a patient that detailed both her medical detailed both her medical condition and treatment plan. condition and treatment plan.

4343

An OCR investigation also An OCR investigation also indicated that the confidential indicated that the confidential communications requirements communications requirements were not followed, as the were not followed, as the employee left the message at employee left the message at the patient’s home telephone the patient’s home telephone number, despite the patient’s number, despite the patient’s instructions to contact her instructions to contact her through her work number. through her work number.

4444

Hospital was required to:Hospital was required to:

1.1.Only leave “minimum Only leave “minimum necessary” info in messages; necessary” info in messages;

2.2.Train employees on what Train employees on what “minimum necessary” info “minimum necessary” info they were allowed to leave on they were allowed to leave on message; message;

4545

3.3.Train employees on Train employees on reviewing patient contact reviewing patient contact directives with patients directives with patients during registration; and during registration; and

4.4.These new procedures were These new procedures were incorporated into new incorporated into new employee and yearly employee and yearly compliance training. compliance training.

4646


Hospital Issues Guidelines Hospital Issues Guidelines Regarding Disclosures to Avert Regarding Disclosures to Avert Threats to Health or SafetyThreats to Health or Safety

After treating a patient injured After treating a patient injured in a rather unusual sporting in a rather unusual sporting accident, the hospital released accident, the hospital released to the local media, without the to the local media, without the patient’s authorization, copies of patient’s authorization, copies of the patient’s skull x-ray as well the patient’s skull x-ray as well as a description of the as a description of the complainant’s medical condition. complainant’s medical condition.

4747

The local newspaper then The local newspaper then featured on its front page the featured on its front page the individual’s x-ray and an article individual’s x-ray and an article that included the date of the that included the date of the accident, the location of the accident, the location of the accident, the patient’s gender, accident, the patient’s gender, a description of patient’s a description of patient’s medical condition, and medical condition, and numerous quotes from the numerous quotes from the hospital about such unusual hospital about such unusual sporting accidents.sporting accidents. 4848

The hospital asserted that the The hospital asserted that the disclosures were made to disclosures were made to avert a serious threat to avert a serious threat to health or safety; however, health or safety; however, OCR’s investigation indicated OCR’s investigation indicated that the disclosures did not that the disclosures did not meet the Privacy Rule’s meet the Privacy Rule’s standard for such actions. standard for such actions.

4949

The investigation also indicated The investigation also indicated that the disclosures did not meet that the disclosures did not meet the Rule’s de-identification the Rule’s de-identification standard and therefore were not standard and therefore were not permissible without the permissible without the individual’s authorization. individual’s authorization. Among other corrective actions Among other corrective actions to resolve the specific issues in to resolve the specific issues in the case, OCR required the the case, OCR required the hospital to develop and hospital to develop and implement a policy regarding implement a policy regarding disclosures related to serious disclosures related to serious threats to health and safety, and threats to health and safety, and to train all members of the to train all members of the hospital staff on the new policy.hospital staff on the new policy.

5050


Hospital Corrects Impermissible Hospital Corrects Impermissible Disclosure of PHI in Response to Disclosure of PHI in Response to a Subpoenaa Subpoena

A hospital, in response to a A hospital, in response to a subpoena (not accompanied by a subpoena (not accompanied by a court order), impermissibly court order), impermissibly disclosed the protected health disclosed the protected health information (PHI) of one of its information (PHI) of one of its patients. patients.

5151

Contrary to the Privacy Rule Contrary to the Privacy Rule protections for information protections for information sought for administrative or sought for administrative or judicial proceedings, the hospital judicial proceedings, the hospital failed to determine that failed to determine that reasonable efforts had been reasonable efforts had been made to ensure that the made to ensure that the individual whose PHI was being individual whose PHI was being sought received notice of the sought received notice of the request and/or failed to receive request and/or failed to receive satisfactory assurance that the satisfactory assurance that the party seeking the information party seeking the information made reasonable efforts to made reasonable efforts to secure a qualified protective secure a qualified protective order.order.

5252

Among other corrective actions Among other corrective actions to remedy this situation, OCR to remedy this situation, OCR required that the hospital revise required that the hospital revise its subpoena processing its subpoena processing procedures. Under the revised procedures. Under the revised process, if a subpoena is process, if a subpoena is received that does not meet the received that does not meet the requirements of the Privacy requirements of the Privacy Rule, the information is not Rule, the information is not disclosed; instead, the hospital disclosed; instead, the hospital contacts the party seeking the contacts the party seeking the subpoena and the requirements subpoena and the requirements of the Privacy Rule are of the Privacy Rule are explained. The hospital also explained. The hospital also trained relevant staff members trained relevant staff members on the new procedureson the new procedures..

5353


Physician Practice Provides Physician Practice Provides Access to All Records, Access to All Records, Regardless of SourceRegardless of Source

A physician practice denied an A physician practice denied an individual access to his records individual access to his records on the basis that a portion of the on the basis that a portion of the individual's record was created individual's record was created by a physician not associated by a physician not associated with the practice. with the practice.

5454

While the amendment While the amendment provisions of the Privacy Rule provisions of the Privacy Rule permit a covered entity to deny permit a covered entity to deny an individual's request for an an individual's request for an amendment when the covered amendment when the covered entity did not create that the entity did not create that the portion of the record subject to portion of the record subject to the request for amendment, no the request for amendment, no similar provision limits similar provision limits individuals' rights to access individuals' rights to access their protected health their protected health information. information.

5555

Among other steps to resolve Among other steps to resolve the specific issue in this case, the specific issue in this case, OCR required the physician OCR required the physician practice to revise its access practice to revise its access policy and procedures to affirm policy and procedures to affirm that, consistent with the Privacy that, consistent with the Privacy Rule standards, patients have Rule standards, patients have access to their record regardless access to their record regardless of whether another entity of whether another entity created information contained created information contained within it.within it. 5656


Hospital Revises Email Hospital Revises Email Distribution as a Result of a Distribution as a Result of a Disclosure to Persons Without a Disclosure to Persons Without a "Need to Know“"Need to Know“

A complainant, who was both a A complainant, who was both a patient and an employee of the patient and an employee of the hospital, alleged that her hospital, alleged that her protected health information protected health information was impermissibly disclosed to was impermissibly disclosed to her supervisor. her supervisor. 5757

OCR’s investigation revealed OCR’s investigation revealed that: the hospital distributed an that: the hospital distributed an Operating Room (OR) schedule Operating Room (OR) schedule to employees via email; the to employees via email; the hospital’s OR schedule contained hospital’s OR schedule contained information about the information about the complainant’s upcoming complainant’s upcoming surgery. surgery.

5858

While the Privacy Rule may While the Privacy Rule may permit the disclosure of an OR permit the disclosure of an OR schedule containing PHI, in this schedule containing PHI, in this case, a hospital employee case, a hospital employee shared the OR scheduled with shared the OR scheduled with the complainant’s supervisor, the complainant’s supervisor, who was not part of the who was not part of the employee's treatment team, and employee's treatment team, and did not need the information for did not need the information for payment, health care payment, health care operations, or other permissible operations, or other permissible purposes. purposes.

5959

Hospital was required to:Hospital was required to:

1.1.Discipline and retrain the Discipline and retrain the employee; and employee; and

2.2.Revise its policy on Revise its policy on distribution of the OR distribution of the OR schedule. schedule.

6060


Physician Practice Ceases Physician Practice Ceases Conditioning of Compliance Conditioning of Compliance with the Privacy Rulewith the Privacy Rule

A physician practice requested A physician practice requested that patients sign an agreement that patients sign an agreement entitled “Consent and Mutual entitled “Consent and Mutual Agreement to Maintain Agreement to Maintain Privacy.” Privacy.”

6161

The agreement prohibited the The agreement prohibited the patient from directly or patient from directly or indirectly publishing or airing indirectly publishing or airing commentary about the commentary about the physician, his expertise, and/or physician, his expertise, and/or treatment in exchange for the treatment in exchange for the physician’s compliance with the physician’s compliance with the Privacy Rule. Privacy Rule.

6262

A patient’s rights under the A patient’s rights under the Privacy Rule are not Privacy Rule are not contingent on the patient’s contingent on the patient’s agreement with a covered agreement with a covered entity. A covered entity’s entity. A covered entity’s obligation to comply with all obligation to comply with all requirements of the Privacy requirements of the Privacy Rule cannot be conditioned on Rule cannot be conditioned on the patient’s silence. the patient’s silence.

6363

OCR required the covered OCR required the covered entity to cease using the entity to cease using the Patient Agreement and Patient Agreement and required the practice to revise required the practice to revise its Notice of Privacy Practices.its Notice of Privacy Practices.

6464

QUESTIONS

Lynda M. Johnson

Friday, Eldredge & Clark, LLP

[email protected]

65

hipaa update: social media, audits & enforcement by lynda m. johnson 1

Documents

patient status

hipaa violation

nurse mary

hipaa update

facebook page

marys friends

patient lazy

mary hypothetical