440 likes | 463 Views
Hot Legal Topics in Health Care in 2015. By LYNDA M. JOHNSON. HIPAA and Social Media With new technology comes new problems!!.
E N D
Hot Legal Topics in Health Care in 2015 By LYNDA M. JOHNSON
HIPAA and Social Media With new technology comes new problems!!
Two paramedic students working in the ED in Florida as part of their training took digital photos of a patient who had been attacked by a shark and e-mailed the photos to several friends.
A Chicago physician, on his blog, called a patient “lazy” and “ignorant” because she had made several visits to the ED after failing to monitor her sugar level.
A medical student filmed a doctor inserting a chest tube into a patient, whose face was clearly visible, and posted the footage on You Tube.
A nurse did not think twice about posting on her Facebook page that she had treated a “cop killer” the day following many news accounts named the accused shooter and the hospital where he was treated.
If only these individuals had taken some time and used the “Coffee Shop Test” before posting the information: If you wouldn’t talk about it with a friend in a coffee shop, then it’s not appropriate to talk about it online (and it’s never ok to talk about specific patients with a friend in a coffee shop).
Let’s talk about this hypothetical situation: Nurse Mary, using her personal Iphone, after work hours, posts on her Facebook page (after describing her daughter’s soccer game and shopping outing earlier that day) the following: “I met (Famous Football Player) today!! Such a nice guy! Not bad on the eyes too!” Later that same day, in response to a “Friend’s” question, Mary responded: “He came in for a broken arm.” Meanwhile, one of Mary’s Friends, “Susan,” responded to Mary’s original post with a simple “Likes” reply.
It is important for you to know: Mary’s Profile states that she is a Registered Nurse who works in the Orthopedics Department of Large Hospital System in Anytown, USA; and Among her “Friends” is a co-worker, “Susan,” a Physical Therapist who works in the same Department of the same Hospital. Susan’s Profile also states her profession and her place of work.
Around 90 days later, Large Hospital System receives a letter from the Office for Civil Rights advising that it received an anonymous complaint alleging that it was not in compliance with the HIPAA Privacy Standards and, more specifically that Mary had impermissibly disclosed protected health information of individuals who were patients of the Hospital’s Orthopedics Department. Specifically, it is alleged that Mary posted PHI on her Facebook page related to the patient status and medical condition of “Famous Football Player.”
The “general” rule is that, under HIPAA, a Covered Entity (or Business Associate) may not use or disclose PHI except as permitted or required by the Privacy Rules. Facebook and other social media posts, like verbal “gossip” about patients are electronic forms of PHI if patients are identified by name (or otherwise) and the context of the posts says something about the medical condition or patient status of the individual. In the “Mary” hypothetical, this would be a HIPAA violation.
Now let’s talk about some lawsuits: In late December of 2013, a patient who was seen at the ED of Northwestern Memorial Hospital in Chicago sued the Hospital, the Feinberg School of Medicine and the physician who treated her, after the physician posted pictures of the drunk patient to social media. She is seeking $1.5 million in damages. The patient is an actress, model and ex-professional tennis player from Russia who claims that the postings damaged her future career prospects and caused her emotional distress. In posting the pictures, the physician invited friends for rooftop cocktails across the street from the ED where the patient was admitted for alcohol poisoning.
Walgreens was ordered to pay $1.44 million in a lawsuit brought against it for a violation of HIPAA by one of its pharmacist employees. The pharmacist looked up the medical records of her husband’s ex-girlfriend, who she suspected gave her husband an STD. She found what she was looking for, told her husband about it, and he then sent a text message to the ex and told her he knew all about the results. The ex figured out how the husband found out about the results and filed the lawsuit, not against the pharmacist, but against the deep-pocket, Walgreens. The jury decided that Walgreens was responsible for 80% of the verdict. ( I guess that means the total verdict was $1.8 million.) Walgreens said it will appeal. But wait, HIPAA does not allow a private right of action, so how did this lawsuit proceed? It was brought under common law theories of invasion of privacy, negligence and professional malpractice. Walgreens was not sued for violating HIPAA, however, the HIPAA violation by Walgreen’s employee was used to show that Walgreens was negligent.
Common Myths and Misunderstandings of Social Media: A mistaken belief that the communication or post is private and accessible only to the intended recipient. A mistaken belief that content that has been deleted from a site is no longer accessible. A mistaken belief that it is harmless if patient information is disclosed if the communication is accessed only by the intended recipient. This is still a HIPAA violation if the intended recipient is an unauthorized individual.
Common Myths and Misunderstandings of Social Media: A mistaken belief that it is acceptable to discuss or refer to patients if they are not identified by name, but referred to by a nickname, room number, diagnosis or condition.
Common Myths and Misunderstandings of Social Media: Confusion between a patient’s right to disclose personal information about himself/herself and the obligation of a health care provider to refrain from disclosing such information unless it is related to treatment, payment or healthcare operations. The ease of posting and commonplace nature of sharing information via social media may appear to blur the line between one’s personal and professional lives.
OCR to Begin Phase 2 of HIPAA Audit Program The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Phase 1 Audit Findings • OCR audited 115 covered entities under the Phase 1 Audit program, with the following aggregate results: • There were no findings or observations for only 11% of the covered entities audited; • Despite representing just more than half of the audited entities (53%), health care providers were responsible for 65% of the total findings and observations; • The smallest covered entities were found to struggle with compliance under all three of the HIPAA Standards;
Greater than 60% of the findings or observations were Security Standard violations, and 58 of 59 audited health care provider covered entities had at least one Security Standard finding or observation even though the Security Standards represented only 28% of the total audit items; • Greater than 39% of the findings and observations related to the Privacy Standards were attributed to a lack of awareness of the applicable Privacy Standard requirement; and • Only 10% of the findings and observations were attributable to a lack of compliance with the Breach Notification Standards.
The Phase 2 Audit Program • OCR will audit approximately 150 covered entities and 50 business associates for compliance with the Security Standards, 100 covered entities for compliance with the Privacy Standards and 100 covered entities for compliance with the Breach Notification Standards. • These audits will be “desk audits.” • Covered entities and business associates will have two weeks to respond to OCR’s audit request. • OCR will only consider documentation that is submitted on time.
The Phase 2 Audits will target HIPAA Standards that were sources of high numbers of non-compliance in the Phase 1 Audits, including: • risk analysis and risk management; • content and timeliness of breach notifications; • notice of privacy practices; • individual access; • Privacy Standards’ reasonable safeguards requirement; • training on policies and procedures; • device and media controls; and • transmission security.
OCR also projects that Phase 2 Audits in 2016 will focus on the Security Standards: • encryption and decryption requirements; • facility access controls; • breach reports and complaints; and • other areas identified by earlier Phase 2 Audits. • Phase 2 Audits of business associates will focus on: • risk analysis; • risk management; and • breach reporting to covered entities.
The OCR Audit Protocol for the Phase 2 Audits is posted on the OCR website. It is 67 pages long!
HIPAA Enforcement Since the compliance date of the Privacy Rule in April 2003, OCR has received over 106,522 HIPAA complaints and has initiated over 1,183 compliance reviews. OCR has resolved ninety-five percent of these cases.
HIPAA Enforcement OCR has investigated and resolved over 23,314 cases by requiring changes in privacy practices and corrective actions or providing technical assistance to, HIPAA covered entities and their business associates.
HIPAA Enforcement In another 10,566 cases, OCR investigations found no violation had occurred.
HIPAA Enforcement Additionally, in 7,883 cases, OCR has intervened early and provided technical assistance to HIPAA covered entities, their business associates, and individuals exercising their rights under the Privacy Rule, without the need for an investigation.
HIPAA Enforcement • In the rest of the completed cases, (68,412) OCR determined that the complaint did not present an eligible case for enforcement. These include cases in which: • OCR lacks jurisdiction under HIPAA. For example, in cases alleging a violation by an entity not covered by HIPAA;
HIPAA Enforcement • The complaint is untimely, or withdrawn by the filer. • The activity described does not violate the HIPAA Rules. For example, in cases where the covered entity has disclosed protected health information in circumstances in which the Privacy Rule permits such a disclosure.
HIPAA Enforcement From the compliance date to December 31, 2014, the compliance issues investigated most are, in order of frequency: Impermissible uses and disclosures of protected health information; Lack of safeguards of protected health information;
HIPAA Enforcement Lack of patient access to their protected health information; Lack of administrative safeguards of electronic protected health information; and Use or disclosure of more than the minimum necessary protected health information.
HIPAA Enforcement The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: Private Physician Practices; General Hospitals;
HIPAA Enforcement Outpatient Facilities; Pharmacies; and Health Plans (group health plans and health insurance issuers)
Security Rule Enforcement Since OCR began reporting enforcement of the security rule in October of 2009, they have received 940 complaints. 689 complaints have been resolved. As of August 31, 2014, 316 of these complaints remain outstanding.
Referrals to Department of Justice As of December 31, 2014, OCR has referred 543 cases to the Department of Justice for criminal investigation involving violations of the HIPAA Privacy Regs.
Issues Likely Arising During the Last Half of 2015 and Beyond
The Future of the Affordable Care Act • USSC decision in King v. Burwell will determine if ACA is viable. • Issue is whether Federal subsidies are available for coverage that is purchased on the Federal exchange or whether the subsidies are only available for coverage that is purchased on an exchange established by a State. • Court is split 4-4, with Scalia being the likely “swing vote.” • Decision is expected end of June to early July.
Mobile Health Technology • “There’s an app for that.” • FDA has stated it will not regulate activity trackers, like FitBit. • That may change when the “wearables” start communicating with electronic health records and medical devices.
Employment-Based Wellness Programs • EEOC issued proposed regulations on April 16, 2015 regarding these programs. • Under the proposed regs, the wellness program must be voluntary. • Employees may not be required to participate in a wellness program, may not be denied health insurance or given reduced health benefits if they do not participate, and may not be disciplined for not participating.
Employment-Based Wellness Programs (cont.) • Employers may offer limited incentives to an employee to participate or to achieve health outcomes, but the incentives may not exceed 30% of the total cost of employee-only coverage. • Medical information obtained as part of a wellness program must be kept confidential.
Employment-Based Wellness Programs (cont.) • Employers must provide reasonable accommodations to enable employees with disabilities to participate and earn incentives offered by the employer, such as providing an sign language interpreter to allow a deaf employee to participate in a nutrition class or providing printed information in Braille or in large format to allow a vision impaired employee to participate. • Comment period runs until June 19, 2015.
QUESTIONS Lynda M. Johnson Friday, Eldredge & Clark, LLP Ljohnson@fridayfirm.com 501-370-1553