480 likes | 606 Views
M GMA 2013 ANNUAL CONFERENCE October 7, 2013 Paradigm Shift: Patients, Physician Practices and Electronic Communication. Presenters: Barbara J. Zabawa & Melinda S. Giftos. Presentation Summary. Overview of Current & Emerging Practices Five Risk Areas with Best Practice Recommendations
E N D
MGMA 2013 ANNUAL CONFERENCEOctober 7, 2013Paradigm Shift: Patients, Physician Practices and Electronic Communication Presenters: Barbara J. Zabawa & Melinda S. Giftos
Presentation Summary • Overview of Current & Emerging Practices • Five Risk Areas with Best Practice Recommendations • Q & A
What is Happening Now? Communications Explosion! • Web sites & social media • Personal health record software • User-generated content • Mobile, e-mail, text
Patient-Generated Content Patient testimonials. http://youtu.be/n_rF45bUEJg
mHealth • BYOD (bring your own device) • Specialized health applications allow patients tomonitor their own data • Real-time medical data • DIY diagnosis and sharing • E-mail and text communication
Advantages of E-Communication • Convenient • Efficient • Less expensive than office visit • Creates record of communication • Automatic documentation in EMR • Patient-centered medical home achievement
Disadvantages /Barriers • More work for providers • Resistance to change • Reimbursement issues • Risk of liability
5 Areas of Risk • Damage to Reputation / violation of fair advertising laws • HIPAA/state law violations • Loss of Patient Data • Employee issues (violations of the NLRA) • Malpractice liability
1. Reputation & Branding Risks Social media can enhance OR damage your reputation Negative reviews False reviews If patient appears coerced into giving testimonial, could be very damaging
Potential Liability Are you adhering to Federal Trade Commission advertising guidelines? • Claims must be substantiated • Cannot give only extraordinary results • Generally expected results • Creates difficulty in medical field
Best Practices • Use only testimonials that are substantiated by your records • Use a spectrum of testimonials (not just the greatest results) • Add disclaimers • Be transparent and don’t promise too much, while still highlighting your successes
2. Risk of HIPAA Violations More devices Social media Frequent communications Share culture All increase risk of HIPAA violation.
Example: Web-based Calendar Clinic posted clinical and surgical appointments for its patients on public web-based calendar • Clinic implemented very few policies and procedures to safeguard ePHI • Result: $100,000 settlement with OCR, plus corrective action
OCR Warning: “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
Example: Stolen Laptop $1.5 million settlement after unencrypted laptop containing PHI of patients and research subjects was stolen “In an age when health information is stored and transported on portable devices, such as laptops, tabletop and mobile phones, special attention must be paid to safeguarding the information held on these devices. This enforcement action emphasizes that compliance with HIPAA must be prioritized by management and implemented throughout an organization from top to bottom.”
HIPAA ACE or BA may not use or disclose PHI except as permitted or required by the Privacy Rules Facebook and other social media posts can be ePHI if patients identified by name (or otherwise) and context of posts (or information about poster) says something about medical condition or patient status of individual
Social Media Slips 2 paramedic students-in- training took digital photos of a shark attack victim, and subsequently e-mailed the photos to numerous friends Medical Economics, October 10, 2012
Social Media Slips On his blog, a doctor called a patient lazy and ignorant because she had made several visits to the ER after failing to monitor her sugar levels Medical student filmed a doctor inserting a chest tube into a patient, whose face was clearly visible, and posted the footage on YouTube Chicago Daily Herald, July, 2012
Social Media Slips Temporary employee posted a photo of a patient’s medical record (clearly showing name), accompanied by the comment, “funny but this patient in to cure her VD and get birth control.”* Nurse posted on her Facebook page that she had treated a “cop killer” the day following many news accounts naming the accused shooter and the hospital where he was treated.** *“Patient Info on Facebook Traced to Temp Staff,” Same-Day Surgery (May 1, 2012), 2012 WLNR 7485380; **“Nurse Fired for Off-Duty Post on her Facebook,” Healthcare Risk Management (October 1, 2010) 2010 WLNR 19684422.
Is it a Violation? Whether social media posts using patient information constitute a HIPAA violation will depend upon purpose of post and to whom post was disclosed • Ok to use social media to disclose to subject of PHI without authorization (so long as post is not viewed by others) • Ok to use e-communications to disclose to another CE for TPO without patient authorization
Common Misunderstandings • Post is private and accessible only to intended recipient(s) • Deleted posts are no longer accessible • If site is limited (“private”) to selected recipients, that disclosure of patient information is harmless if only read by selected recipient(s)
Common Misunderstandings • No breach of confidentiality if name is not disclosed but other key information about patient is disclosed (from which identification is possible) • Confusion about patient’s freedom to disclose information about himself/herself and the need for the nurse (provider, institution) to refrain from disclosing information – even if it is in response to the patient
Risk of Sanctions Example: Rhode Island physician was reprimanded and fined by the State Medical Board for an inadvertent Facebook posting (without giving patient names, detailed certain patient encounters in the ER, but because of the nature of the patients’ injuries, they could be identified by third parties)
Risk of Sanctions In a 2010 survey, 33 of 46 responding boards of nursing reported receiving complaints of nurses posting photos or information about patients on social networking sites and that 26 of the 33 boards took some sort of disciplinary action in response – minimally, letters of censure National Council of State Boards of Nursing; 2010 nationwide survey
AMA Ethics Opinions • Opinion 5.026 - email should not be used to establish physician-patient relationship; only to supplement other encounters • Physicians should communicate to patients the inherent limitations of email, such as potential for breaches and delayed responses
AMA Ethics Opinions Opinion 9.124 on social media recommends: Physicians use privacy settings to safeguard personal information and content, but should realize that privacy settings are not absolute and that once on the Internet, content is likely there permanently.
AMA Ethics Opinions When physician sees content posted by colleagues that appears unprofessional, they have responsibility to bring that content to the attention of the individual so he or she can remove it or take other appropriate actions. If individual fails to take appropriate action, physician should report matter to authorities.
Best Practices: HIPAA • Understand federal and state patient confidentiality rules • Update risk assessments • Put clear and understandable policies in place • Promptly investigate suspected violations • Make HIPAA compliance a priority
3. Risk of Data Loss With more and more of a shift to electronic information and communication, risk of data loss increases. What happens if you lose patient data?
Increased Reliance on Others We rely heavily on many third-party providers for data protection and integrity. This comes with some serious risks that must be considered and accounted for.
Best Practices • Enter into strong contracts that protect your data • Ensure you have immediate recourse if data is interrupted • Ensure you have a back-up method that is 100% within your control • Consider keeping alternate records
4. Risk Area - Employees National Labor Relations Act - Section 8 (29 USC s. 158) prohibits an employer from interfering with, restraining or coercing employees in the exercise of Section 7 rights.
Risk Areas - Employees Personal gripes not protected Posts on working conditions are protected Employer restrictions on contents of employee postsmay violate NLRA
Social Media Policies Employer social media policies: • An employer violates the NLRA through maintenance of a policy that “would reasonably tend to chill employees in the exercise of their Section 7 rights.” May 30, 2012 NLRB General Counsel Report
Examples General Motors had a policy on revealing “non-public information” and “friending co-workers”: “Think carefully about ‘friending’ co-workers on external social media sites.” Overbroad or acceptable?
Risk Areas - Employees “Communications with co-workers on external social media sites that would be inappropriate in the workplace are also inappropriate online.” Overbroad or acceptable?
Risk Areas - Employees Policy language: “Report any unusual or inappropriate internal social media activity to the system administrator.” Overbroad or acceptable?
Risk Areas - Employees Policy language: “Employer’s Social Media Policy will be administered in compliance with applicable laws and regulations (including Section 7 of the National Labor Relations Act).” Did this cure the ambiguities in GM’s overbroad rules?
More Examples Walmart Social Media Policy: Prohibits “inappropriate postings that may include discriminatory remarks, harassment and threats of violence or similar inappropriate or unlawful conduct.” Overbroad or Acceptable?
Best Practices • A solid, lawful social media policy is critical • Proper training and education are key (on all levels) • Knowledge is power. • See attached example of social media policy • One size does not fit all – see your attorney
5. Risk Area - Malpractice Liability • Increased risk if patients are doing DIY research • Increased risk if patients video-taping or audio-recording appointments • Increased documentation / discoverable evidence in lawsuits
Malpractice Liability • Sometimes electronic/mobile communication is not as complete or professional • However, it is still part of the medical record and can be discovered and used in any dispute
Best Practices • Implement policies on what is acceptable during patient visits • Training is key • Keeping detailed records is key • Understand that these technologies may be implicated in and discoverable in litigation
Questions? * Stock images used with permission from Microsoft, istockphoto.com and other sources
Contact Us Melinda S. Giftos IP/IT Attorney Phone: 608-234-6076 Email: mgiftos@whdlaw.com Twitter: @IntellectLawyer LinkedIn: /MadisonIPAttorney Barbara J. ZabawaJ.D., MPH, FACHE Health Care Team Leader Phone: 608-234-6075 Email: bzabawa@whdlaw.com