The HITECH Act went well beyond shiny promises to reimburse providers for EHR implementation. It also dramatically increased civil monetary penalties for unauthorized releases of protected health information and added significantly to the Office of Civil Rights’ enforcement resources, among other things. Perhaps more significantly, HHS and OCR seem invigorated by the passage of HITECH and have made clear through their enforcement actions that technical security and unauthorized disclosures via portable electronic devices are squarely in their crosshairs. Part and parcel of this enhanced scrutiny is OCR’s concern about security breaches through social media, as that technology becomes an increasingly popular form of communication.
The times, they are a changin’ …
Hospitals and other covered entities originally responded to the passage of HIPAA with a flurry of activity, mostly in the form of privacy notices, the installation of new policies and procedures, and the delivery of regular employee training. Over time, the market learned to meet news of substantial fines levied by HHS for failure to enact these basic safeguards with a mental shrug.
Recently, however, the environment has become more active, and we are beginning to see HIPAA violations and penalties that illustrate the changing focus on the nature of compliance. Certainly, OCR continues to police unauthorized releases of PHI in hard copy format, but it is no coincidence that HHS’ gallery of offenders has become more populated with CEs like BCBS of Tennessee ($1.5 million payment this month to settle the matter of 57 lost and unencrypted hard drives containing PHI), than with the likes of Massachusetts General Hospital ($1 million payment last year as settlement for losing hard copy patient files on the subway).
Reports of privacy breaches through Facebook, Twitter, MySpace and other platforms are increasing and can be ignored only at a hospital’s peril. Earlier this month, a nurse in California posted on his Facebook wall a patient’s picture and chart, along with his comments on her sexual health concerns (because, he said, 1) it was “only Facebook,” and therefore not “real,” and 2) he thought it was “funny — and that if you didn’t get the joke, then too bad). Other recent incidents of similar behavior include ER personnel posting pictures on the web of a man dying from knife wounds, and a physician in Oklahoma treating a patient via Twitter. Extreme examples? Perhaps. But few will argue that the concept of privacy in a social-media world does not square with privacy as demanded by HIPAA. Because these particular violations are so new, HHS has yet to reach a formal decision on its response, but there is little doubt we will soon hear more on these incidents. Moreover, HHS will only be part of the story, with private legal actions brought by patients in their local jurisdictions for violations of state privacy laws likely to follow.
HHS has clearly signaled the need for all CEs to implement a comprehensive policy on the use of social media, the employment of reasonable means to safeguard PHI and the consistent application and enforcement of a sanctions policy. What isn’t yet clear is the extent to which HHS will expect and demand that CE’s take steps to identify breaches and engage in corrective action to mitigate the extent of the incident. However, all indications are that CE’s not aggressively attempting to get out in front of unauthorized releases of PHI through all avenues, including social media, will face stiff penalties, including fines and corrective action plans.
New problems need new tools
New monitoring tools are being developed to address these concerns. For example, Novarus Healthcare, a Charlotte, North Carolina-based mobile solution development company, is developing a confidential and proprietary mobile technology platform that proactively monitors social media sites for HIPAA violations to allow providers to meet the developing challenge presented by the use and prevalence of social media. As social media continues to grow, tools to allow providers to identify and correct violations will become an integral part of a coordinated risk management program. The Novarus Healthcare application will, in addition to identifying the potential breach, score the severity of the issue, and provide reports to the client CE that are easily understandable and actionable so that it may aggressively address improper behavior immediately.
In May of 2012, Novarus Healthcare, McGuire Woods, and Stratford Consulting will host several web conferences to discuss the concerns CE’s have regarding the use of social media by employees and staff, its relation to patient privacy and the potential ramifications of improper use. =Those interested in participating should send an email to thearn@novarushealthcare.com and he will send you the dates and times of the web conferences once they are finalized. Additionally, Novarus is searching for providers interested in serving as beta sites for this new application. For more information on this Web conference, product or beta opportunity, please contact Novarus Healthcare at (800) 704-1716.
