To say that the medical community has noticed a change in the government's enforcement stance regarding HIPAA violations would be quite an understatement. Examples of cringe-worthy behavior by providers are becoming legion. In addition to the now near-famous case involving Westerly Hospital in Rhode Island and Alexandra Thran, MD, news reports of physicians discussing patient cases on Facebook, nurses posting "humorous" X-rays on-line and medical personnel "friending" patients, similar incidents are disturbingly common. HHS investigations into this type of behavior represent a sea-change in the nature of HIPAA compliance — from one of education and the handling of paper records, to one of enforcement and the security of electronic media — and a change that should have CIOs, general counsels and compliance directors taking notice. Failure to proactively address these issues could land health systems in perilous waters, in the local media or even as the lead story on 60 Minutes.
The HITECH Act went well beyond shiny promises to reimburse providers for EHR implementation. It also dramatically increased civil monetary penalties for unauthorized releases of protected health information and added significantly to the Office of Civil Rights' enforcement resources, among other things. Perhaps more significantly, HHS and OCR seem invigorated by the passage of HITECH and have made clear through their enforcement actions that technical security and unauthorized disclosures via portable electronic devices are squarely in their crosshairs. Part and parcel of this enhanced scrutiny is OCR's concern about security breaches through social media, as that technology becomes an increasingly popular form of communication.
Recently, however, the environment has become more active, and we are beginning to see HIPAA violations and penalties that illustrate the changing focus on the nature of compliance. Certainly, OCR continues to police unauthorized releases of PHI in hard copy format, but it is no coincidence that HHS' gallery of offenders has become more populated with CEs like BCBS of Tennessee ($1.5 million payment this month to settle the matter of 57 lost and unencrypted hard drives containing PHI), than with the likes of Massachusetts General Hospital ($1 million payment last year as settlement for losing hard copy patient files on the subway).
Reports of privacy breaches through Facebook, Twitter, MySpace and other platforms are increasing and can be ignored only at a hospital's peril. Earlier this month, a nurse in California posted on his Facebook wall a patient's picture and chart, along with his comments on her sexual health concerns (because, he said, 1) it was "only Facebook," and therefore not "real," and 2) he thought it was "funny — and that if you didn't get the joke, then too bad). Other recent incidents of similar behavior include ER personnel posting pictures on the web of a man dying from knife wounds, and a physician in Oklahoma treating a patient via Twitter. Extreme examples? Perhaps. But few will argue that the concept of privacy in a social-media world does not square with privacy as demanded by HIPAA. Because these particular violations are so new, HHS has yet to reach a formal decision on its response, but there is little doubt we will soon hear more on these incidents. Moreover, HHS will only be part of the story, with private legal actions brought by patients in their local jurisdictions for violations of state privacy laws likely to follow.
HHS has clearly signaled the need for all CEs to implement a comprehensive policy on the use of social media, the employment of reasonable means to safeguard PHI and the consistent application and enforcement of a sanctions policy. What isn't yet clear is the extent to which HHS will expect and demand that CE's take steps to identify breaches and engage in corrective action to mitigate the extent of the incident. However, all indications are that CE's not aggressively attempting to get out in front of unauthorized releases of PHI through all avenues, including social media, will face stiff penalties, including fines and corrective action plans.
In May of 2012, Novarus Healthcare, McGuire Woods, and Stratford Consulting will host several web conferences to discuss the concerns CE's have regarding the use of social media by employees and staff, its relation to patient privacy and the potential ramifications of improper use. =Those interested in participating should send an email to thearn@novarushealthcare.com and he will send you the dates and times of the web conferences once they are finalized. Additionally, Novarus is searching for providers interested in serving as beta sites for this new application. For more information on this Web conference, product or beta opportunity, please contact Novarus Healthcare at (800) 704-1716.
The HITECH Act went well beyond shiny promises to reimburse providers for EHR implementation. It also dramatically increased civil monetary penalties for unauthorized releases of protected health information and added significantly to the Office of Civil Rights' enforcement resources, among other things. Perhaps more significantly, HHS and OCR seem invigorated by the passage of HITECH and have made clear through their enforcement actions that technical security and unauthorized disclosures via portable electronic devices are squarely in their crosshairs. Part and parcel of this enhanced scrutiny is OCR's concern about security breaches through social media, as that technology becomes an increasingly popular form of communication.
The times, they are a changin' …
Hospitals and other covered entities originally responded to the passage of HIPAA with a flurry of activity, mostly in the form of privacy notices, the installation of new policies and procedures, and the delivery of regular employee training. Over time, the market learned to meet news of substantial fines levied by HHS for failure to enact these basic safeguards with a mental shrug.Recently, however, the environment has become more active, and we are beginning to see HIPAA violations and penalties that illustrate the changing focus on the nature of compliance. Certainly, OCR continues to police unauthorized releases of PHI in hard copy format, but it is no coincidence that HHS' gallery of offenders has become more populated with CEs like BCBS of Tennessee ($1.5 million payment this month to settle the matter of 57 lost and unencrypted hard drives containing PHI), than with the likes of Massachusetts General Hospital ($1 million payment last year as settlement for losing hard copy patient files on the subway).
Reports of privacy breaches through Facebook, Twitter, MySpace and other platforms are increasing and can be ignored only at a hospital's peril. Earlier this month, a nurse in California posted on his Facebook wall a patient's picture and chart, along with his comments on her sexual health concerns (because, he said, 1) it was "only Facebook," and therefore not "real," and 2) he thought it was "funny — and that if you didn't get the joke, then too bad). Other recent incidents of similar behavior include ER personnel posting pictures on the web of a man dying from knife wounds, and a physician in Oklahoma treating a patient via Twitter. Extreme examples? Perhaps. But few will argue that the concept of privacy in a social-media world does not square with privacy as demanded by HIPAA. Because these particular violations are so new, HHS has yet to reach a formal decision on its response, but there is little doubt we will soon hear more on these incidents. Moreover, HHS will only be part of the story, with private legal actions brought by patients in their local jurisdictions for violations of state privacy laws likely to follow.
HHS has clearly signaled the need for all CEs to implement a comprehensive policy on the use of social media, the employment of reasonable means to safeguard PHI and the consistent application and enforcement of a sanctions policy. What isn't yet clear is the extent to which HHS will expect and demand that CE's take steps to identify breaches and engage in corrective action to mitigate the extent of the incident. However, all indications are that CE's not aggressively attempting to get out in front of unauthorized releases of PHI through all avenues, including social media, will face stiff penalties, including fines and corrective action plans.
New problems need new tools
New monitoring tools are being developed to address these concerns. For example, Novarus Healthcare, a Charlotte, North Carolina-based mobile solution development company, is developing a confidential and proprietary mobile technology platform that proactively monitors social media sites for HIPAA violations to allow providers to meet the developing challenge presented by the use and prevalence of social media. As social media continues to grow, tools to allow providers to identify and correct violations will become an integral part of a coordinated risk management program. The Novarus Healthcare application will, in addition to identifying the potential breach, score the severity of the issue, and provide reports to the client CE that are easily understandable and actionable so that it may aggressively address improper behavior immediately.In May of 2012, Novarus Healthcare, McGuire Woods, and Stratford Consulting will host several web conferences to discuss the concerns CE's have regarding the use of social media by employees and staff, its relation to patient privacy and the potential ramifications of improper use. =Those interested in participating should send an email to thearn@novarushealthcare.com and he will send you the dates and times of the web conferences once they are finalized. Additionally, Novarus is searching for providers interested in serving as beta sites for this new application. For more information on this Web conference, product or beta opportunity, please contact Novarus Healthcare at (800) 704-1716.