HIPAA HAZARDS & SOCIAL MEDIA SNAFUS NARHC MARCH 20, 2018 MARGARET SCAVOTTO, JD, CHC MPA ST. LOUIS, MO
EXPECT THE UNEXPECTED
SNOOPING EMPLOYEES WILL BE TEMPTED TO SNOOP MEDICAL RECORDS.
SNOOPING A nurse snooped the medical records of her nephew s girlfriend, and learned she had a baby and gave it up for adoption. This secret was announced at a family funeral. Hospital employee snooped patient records for 14 years. When Britney Spears was hospitalized in 2008 for psychiatric care, 13 employees and 6 physicians at UCLA medical center looked at her medical records without a reason.
SNOOPING Who are YOUR celebrities?
SNOOPING What can you do? Address snooping in your SRA and policies Limit access Terminate access Review info system activity Set up alerts Use access controls TRAIN
INSIDERS & BURGLARS WHAT COULD SOMEBODY TAKE FROM YOU?
INSIDERS An ex-employee stole patient information and patient photos from a Rodeo Drive plastic surgery clinic and put them on social media. A mental health tech stole census sheets from a behavioral health facility and sold them for $1,000 each.
INSIDERS What can you do? Background checks. Consider insiders in your HIPAA Security risk analysis and mitigation plan. Use the minimum necessary rule. Terminate access when employees leave.
BURGLARS What could a burglar steal from you? Burglars stole an unencrypted computer containing PHI for 24,000 patients from a dermatology practice. It was not encrypted. Burglars stole paper PHI from an eye doctors office leaving electronic PHI systems untouched. Burglars took 13 boxes of paper medical records from an off-site storage facility. The burglar was caught when he tried to sell the patient records.
BURGLARS What can you do? Remember there is no such thing as secure paper PHI. If you use off-site storage, ask about their HIPAA security program. Signing a BAA is required but doesn t guarantee your records are safe.
MAIL WHAT S IN YOUR ENVELOPE? HIPAA WANTS TO KNOW.
MAIL What could go wrong? Aetna used a contractor to complete a mailing. The contractor used windowed envelopes. Through the window, the following words could be seen: when filling prescriptions for HIV medications. The Ohio Dept of Mental Health and Addiction Services sent a satisfaction survey to its patients via postcard (rather than sealed envelopes).
MAIL Email issues A hospital executive assistant sent an electronic survey to patients by email. The goal of the survey was to identify ways to improve patient discharge paperwork. Hundreds of patient email addresses were visible in the To field of the email.
MINIMUM NECESSARY RULE BREACHES WHEN STAFF NEED TO USE PHI, BUT THEY USE TOO MUCH.
MINIMUM NECESSARY RULE BREACHES A university student health center employee discussed the results of a student s pregnancy test with a female coworker. A nurse was fired from a Kentucky hospital after she told a physician and EKG technician to wear gloves for a procedure because the patient has Hepatitis C.
MINIMUM NECESSARY RULE BREACHES What can you do? TRAIN.
AUGMENTED REALITY PEOPLE USE THEIR PHONES AND CAMERAS FOR EVERYTHING.
POKÉMON GO Pokemon Go uses the smartphone s camera phone to superimpose Pokemon characters on real-time photographs. Pokemon Go lets the user take a screenshot of the app (e.g., the real-time photograph).
ONLINE REVIEWS THE COMMENTS CONUNDRUM
ONLINE REVIEWS I looked very closely at your radiographs and it was obvious that you have cavities and gum disease that your other dentist has overlooked You can live in a world of denial and simply believe what you want to hear from your other dentist or make an educated and informed decision. - [Your dentist]
SOCIAL MEDIA EVERYBODY S DOING IT
PROTECTED HEALTH INFORMATION HIPAA protects PHI: information that can identify a patient and relates to the patient s health condition, treatment, and payment for treatment. 23
PHOTOS AND VIDEOS SAY CHEESE!
PHOTOS & VIDEOS Two paramedics were arrested and face criminal charges after they engaged in a selfie war by text.
IT WAS JUST A PICTURE OF HER BUTT They just blew everything out of proportion It was just a picture of her butt. How many people take a picture of people s butts?... I worked in health care for five years. Everybody takes pictures of residents all the time. I m not the only one. https://www.propublica.org/article/nursing-home-workers-share-explicitphotos-of-residents-on-snapchat
PHOTOS AND VIDEOS Doctor posted plastic surgery photos online. Hospital employees took photos of a patient with a genital injury.
PROUD PROMOTION Entry level clinical staff received a promotion to an administrative role. This promotion came with an office. The staff took a video of his desk and posted it to Facebook.
SOCIAL MEDIA: IS IT PHI?
IS IT PHI? Sad day at work today 30
IS IT PHI? Sad day at work treating someone so young today 31
IS IT PHI? Sad day at work treating an amputee today 32
IS IT PHI? SAD DAY AT WORK TREATING MY THIRD GRADE TEACHER TODAY 33
IS IT PHI? SAD DAY AT WORK TREATING MY THIRD GRADE TEACHER AT WALNUT ELEMENTARY TODAY 34
SOCIAL MEDIA What you can do: Social media policy Breach notification policy Train, train, train Audit
IGNORING BREACHES 89% OF HEALTHCARE PROVIDERS HAVE HAD A BREACH
IGNORING BREACHES Presence Health entered a $475,000 settlement with the OCR after it missed the 60 day breach notification deadline. 10-22-13: Presence discovered breach (paper OR schedules were missing) 1-31-14: Presence notified OCR of the breach.
BREACH NOTIFICATION Unsecured PHI = not encrypted or destroyed Within 60 days of discovery Who: The patient OCR The media (maybe) 38
BREACH NOTIFICATION What can you do? Breach Notification policy Breach analysis decision tree HIPAA attorney on speed dial
BREACH NOTIFICATION Don t mess with Texas. No risk of harm required. Texas DHHS contractors that provide HHS services and create, receive, maintain, use or disclose Confidential Information on behalf of HHS programs or clients must notify HHS of breaches of federal data within 60 minutes
YOUR ACTION PLAN HOW TO EXPECT THE UNEXPECTED
SECURITY RISK ANALYSIS Conduct a HIPAA Security risk analysis Mitigate risks Update the risk analysis
POLICIES Privacy Security Breach Notification Omnibus updates effective September 2013
TRAIN, TRAIN New hires Annual training Quarterly or monthly reminders Board, employees, contractors, managers In-services, written reminders, email, flyers, video, skits
AUDIT Walk throughs Security Audits Privacy audits Breach notification audits Social media audits
LOOK FOR GUIDANCE At HCCA s 2017 Compliance Institute, Iliana Peters advised that the OCR is developing guidance and FAQ addressing: Texting Social media Minimum necessary
Margaret Scavotto, JD, CHC President 314-394-2222 ext. 24 mcs@healthcareperformance.com (c) 2018 Management Performance Associates This presentation does not constitute legal advice Questions?