Attorney Joseph M. Miller led a discussion on the topic of overpayments and internal investigations at the first annual Compliance Education Day at UnityPoint Health on Thursday, October 17, in Cedar Rapids.Continue reading
Desirée Kilburg, attorney and vice president at Shuttleworth & Ingersoll, has been named to the Corridor Business Journal’s 2019 Class of Forty Under 40, and was honored at a ceremony on Thursday, October 17, in Cedar Rapids.Continue reading
The U.S. Department of Health and Human Services, Office of Civil Rights (OCR) recently entered into a settlement agreement with a private dental practice following a violation of the HIPAA Privacy Rule. The settlement stems from a report that the dental practice received a patient complaint on their Yelp page and they publicly responded with some of the patient’s person health information (PHI). OCR’s investigation went on to find that public disclosure of PHI had actually affected multiple patients of the practice. The dental practice will now be paying a $10,000 fine and have to comply with a corrective action plan, which includes developing policies and procedures to ensure that interactions with patients on social media are compliant with the HIPAA Privacy Rule.
This settlement agreement is a good reminder of the importance of developing policies and procedures for interacting with patients on social media and ensuring that staff is properly trained on them, as to avoid unauthorized disclosures of PHI and to protect an organization’s reputation.
Online Reviews, Social Media, and HIPAA
As social media continues to become more prominent in our society, online reviews can have a tremendous effect on consumer habits; healthcare organizations and providers are no exception. Patients are making choices about where they are going to seek their healthcare based on reviews, so it is crucial that providers and organizations are being responsive to the experiences and needs of reviewers. Even more important than online engagement is the need for organization to maintain compliance with the HIPAA Privacy Rule. Developing specific policies and procedures for responding to these reviews can be a helpful tool as organizations strive to provide the best care and experiences for their patients.
Here are five helpful tips for healthcare organizations looking to develop policies and procedures for responding to reviews in a HIPAA-compliant manner.
1. Never acknowledge that the reviewer was a patient.
Although the reviewer may identify themselves as a patient, it may be a HIPAA violation for the organization or provider to acknowledge that the reviewer was actually a patient. Never repeat the reviewer’s name in your response, and never respond with information that would share why they were seeking care, or discuss financial information. Remember it is not a valid excuse to say that you never used the patient’s name – there are 18 identifiers protected by HIPAA, including dates of service, and geographic data. Further, you could be in violation of a disclosure even with indirect identifiers if, when combined with other information, the identity of the individual may be pieced together.
2. Develop a template for responses.
When sites allow for a response, it is important to engage to show people that the organization is responsive and cares about feedback. Using templates in the response can help to ensure HIPAA compliance.
3. Take conversations private, but not to private messages.
Giving people an opportunity to talk about their feelings and experiences is important, but organizations should not engage in these conversations online. Private messages may seem private, but they are still subject to HIPAA and cannot contain PHI. It is best to engage in these conversations over the phone or in person. Email may also be an option for communication if proper authorization has been received.
4. Don’t share pictures of patients on social media.
Don’t share pictures of patients even if you think they are de-identified. People may recognize a photo based on someone’s birthmarks, moles or general familiarity with their form. With proper consent it may be appropriate to share pictures, but it is best to avoid sharing photos altogether if you can.
5. Always be courteous.
Regardless of the review being positive or negative, it is important to take the time to thank the reviewer for taking the time to give their feedback. Being courteous, even to negative reviews, will show potential patients that you value feedback and are striving to improve the organization.
Examples of Responses that are HIPAA-Compliant
Here are some potential templates for responses to both positive and negative reviews.
HIPAA-Compliant Responses to a Positive Review
- Thank you for your review. We strive to provide high quality care.
- Thank you for taking time out of your day to share those kind words. Our goal is to provide high quality care, so your feedback is appreciated.
HIPAA-Compliant Responses to a Negative Review
- Our goal is to provide high quality care, so your feedback is appreciated. Please call us at [phone number] or email us at [email address] so we can learn more.
- We deeply regret the inconvenience. Please call us at [phone number] or email us at [email address] so we can learn more.
Shuttleworth & Ingersoll is proud to announce the addition of Molly M. Parker to the team of attorneys.
Molly’s practice focuses on litigation and appellate law. As a graduate of the University of Iowa College of Law, she gained valuable experience as the law clerk to the Honorable Jane Kelly in the United States Court of Appeals for the Eighth Circuit, as well as a law clerk to the Honorable Chief Judge John A. Jarvey in the United States District Court for the Southern District of Iowa. Most recently, Molly served as the legal director for Kids First Law Center of Greater Des Moines.
Molly is a frequent volunteer judge and mentor for local and regional mock trial competitions. In her spare time she enjoys knitting, cooking, and reading.
About Shuttleworth & Ingersoll
Shuttleworth & Ingersoll, P.L.C. is a multi-specialty law firm with offices in Cedar Rapids, Iowa, and Coralville, Iowa, with clients throughout the Midwest and around the world. Established in 1854, the firm has grown to become one of Iowa’s largest firms with nearly 50 talented and experienced lawyers who provide a full-range of business, litigation, family, and intellectual property legal services. Using a collaborative, team-based approach, Shuttleworth & Ingersoll is able to provide innovative, cost-effective solutions to client problems.
Roger Severino, director for the Office of Civil Rights (OCR), delivered an address on October 16 in Washington D.C. to provide a broad overview to recap recent HIPAA enforcement efforts conducted by OCR, along with advice for covered entities to think proactively about protecting their patients’ medical records given the constant threat of attack from bad actors and data exposure. Here are a few key takeaways from his presentation involving HIPAA matters.
Training Employees as a Major Component to Safeguard from Attacks
Two of the main areas of concern continue to include phishing attacks and FTP attacks/hacking attacks as a way in for hackers. The tech side has played a bigger role in recent breaches. Ransomware is a real threat. Entities should make sure they have all the necessary safeguards, which includes firewalls and “especially training your employees,” according to Severino.
He explained that phishing attacks occur when employees let their guard down because of social engineering. He cautioned that phishing attacks are getting better. No longer do the emails appear to come from a foreign country or contain obvious misspellings. Simply put, Director Severino stated “If you are part of an entity and don’t have a program for testing your employees with fake phishing emails, consider doing that.” He added, “It is almost becoming standard because we’re getting so many phishing attacks and that is one of the primary ways of protecting yourself from viruses, phishing, and ransomware.” Additionally, make sure your staff understands there can be fake tech support attempts. Finally, he said that another human factor is weak authentication protocols: the movement to two factor authentication allows you to have less frequent password changes when using this method.
In short, do not ignore the HUMAN SIDE as a security threat. Educate and train your employees. Educate them to not share passwords. Educate your Human Resources folks to make sure former employees are stripped of their access, passwords changed, tokens and keys taken the day they are dismissed.
Right to Access Rule Update
During his address, Director Severino commented that the Office of Civil Rights is looking to see if there is a need to address the “right to access” rule. For example, it should not be difficult for records from one provider in one state to be sent to a provider in another state, but oftentimes, entities require the patient fill out a request or authorization to facilitate. In other words, Director Severino believes there is nothing in place to guarantee that the patient’s records would be sent without the patient requesting his/her own records and doing all the work him/herself. OCR is exploring expanding the rule so that this sharing of medical information and be seamless and automatic.
Doctors May Disclose Information to a Family Member
He reminded the audience that OCR has issued guidance to clarify that HIPAA does, in fact, allow providers to disclose information to a family member if the member is involved in the patient’s care, if it is an emergency and the patient is incapacitated, or if there is a threat to health or safety (which include the patient’s own health and safety). OCR is also considering modifying the standards for what counts as a threat to make sure that providers are “fully empowered to address these life and death situations.” He believes entities are using the shield of HIPAA to say they are not allowed to release information and OCR is going to try to take down those shields so that providers understand better that there are times where information can be disclosed to loved ones, and in some cases, law enforcement.
Reconsideration of Notice of Privacy Practices
The Office is evaluating whether it continues to make sense to require incoming patients to sign acknowledgement of the Notice of Privacy Practices, when very few people read the Notices anymore. The HIPAA regulations currently state that the patient’s signature must be requested and if the patient does not sign, then the provider has to document the efforts to get the signature and retain that paperwork documenting the efforts and the refusal. Director Severino acknowledged that this has created “millions of pieces of paper that [OCR] has not used in [their] enforcement actions.” He queried: “Has this signature requirement become an unnecessary barrier to healthcare? Is it worth keeping?” OCR has submitted these questions to covered entities for feedback. The Director encouraged everyone to respond to these inquiries if interested in these issues. This is “your chance to give input on what [OCR is] doing as an agency,” he said.
Patients Control Sending PHI to Third-Party Apps
He pointed out that the OCR has issued an FAQ on health apps as this is a growing area in the industry. “One of the first things you need to realize is that covered entities do not have a monopoly power over their patients’ or their customers’ PHI.” If a patient requests her information to be sent to a health app, so long as the provider does not view the app as a threat to the provider’s system for malware or viruses, the patient request should be honored. If the release is to a third-party that the provider/entity does not have a Business Associate Agreement (BAA) with, it is appropriate to release the information at the patient’s request (again, absent a threat to the provider’s own systems). The entity/provider is not liable for what happens after the PHI goes to the app, provided the app is not acting on behalf of the covered entity. “Buyer beware” when it comes to the patient. Of course, if the app is the entity’s own app, then a BAA is needed and there is responsibility for what happens when the PHI is disclosed. Director Severino, however, noted that “we need to play a role in informing folks on what the lay of the land is” and people need to know that the app they are using may try to sell their information, give it to researchers, market it, etc., as well as the threats that may occur because of where the server for that app is stored. He suggested entities provide the information to the patient’s app when the patient requests it, but give a disclaimer and say that the entity is not responsible if it goes to a third-party app that is not affiliated with the covered entity.
Updates to Enforcement of HIPAA from the OCR
Director Severino also shared what has been done on the enforcement side.
Procedures for Access to PHI When Employees Leave
Pagosa Springs Medical Center (Colorado): Google calendar was used to book clients and make appointments. It was available to all staff who managed the calendar. There were two problems: (1) an employee left the company but retained access to the calendar (had the password/credentials); and (2) Pagosa did not have a BAA with Google for this calendar. Director Severino reminded the audience that many companies (Google, Microsoft, etc.) have “enterprise” versions of their apps that are HIPAA-compliant and for which the Business Associate will sign a BAA. Entities and providers should make sure they have a strong policy/procedure in place for how to deal with terminated employees or employees who have left the company. Settlement with OCR: $111,400.
Open FTP Access to a Server
Cottage Health (California): Server was breached with 62,000 lab and diagnostic results. The entity had an FTP server that was accessible without proper password controls. There was a tech support issue and during the overhauling of the server, it was not configured properly and left “open.” The lesson here is to make sure you have a proper risk analysis/assessment to identify these threats. The risk analysis should be considered when there are changes to the servers, etc. The same checklist that is part of the risk analysis should be done at times like these. Settlement with OCR: $3 Million.
Another Open Server, Left Open After Warnings
Touchstone Medical (Tennessee): 300,000 patient records were available to the world and searchable by Google and indexed on their pages (names, address, SSN, etc.) The FBI informed them AND OCR that the entity had its FTP servers allowing uncontrolled access. Touchstone first denied there was a problem. It did not take the “hint” from the FBI/OCR and continued to leave it open for some time afterwards. Pay attention to the red flags! Settlement with OCR: $3 Million.
Lack of Risk Analysis Leads to Hacker Breach
Medical Informatics Engineering (Indiana): hackers obtained user ID and password. MIE self-reported to OCR. The breach impacted 3.5M people. OCR’s investigation revealed that MIE did not conduct a comprehensive risk analysis prior to the breach. Settlement with OCR: $100,000.
Social Medial Pitfalls
Elite Dental (Texas): The entity violated HIPAA when responding to a negative YELP review. Read more about this settlement between OCR and Elite Dental from Shuttleworth & Ingersoll Associate Attorney Hayleigh Hansen-Boardman.
Setting a Precedent for Enforcement of Right to Access
Bayfront Health St. Petersburg (Florida): This was OCR’s first case involving patient’s right to access and the enforcement involved only one patient. The patient wanted the records of her unborn child (fetal heart rate records) and was denied access for nine months. Under the rules, an entity must respond and provide within 30 days. Bayfront did not comply and so the OCR took action. “This is the first of what we expect to be several enforcement actions on the right of access.” OCR feels they have done a lot of campaigns to educate on the right to access and it is a problem so it is time for “serious enforcement.” Settlement with OCR: $85,000.
OCR Chooses Cases to Send a Message
With enforcement, Director Severino commented that his Office is “not out to bankrupt companies to make a point.” The OCR chooses cases based on their importance and the message.
He also stated during his presentation that the Elite Dental case demonstrates the fact that OCR will “go for big cases and small cases.”
Future Focus of Enforcement Actions
The OCR is “moving away from the laptops” and more doing more regarding the right of access as the OCR sees that as a need. They also see future enforcement actions related to hacking and IT breaches. If there is a theft of a stolen laptop that is encrypted, the OCR presumes that the PHI is safe.
OCR encourages entities to subscribe to their cybersecurity newsletter as it addresses the latest topics and threats.