Troup, Tx. -- April 15, 2016 -- Pedagogy Inc., a continuing education company for healthcare providers, announces a vital new online course to counter a growing number of publicly reported incidents of patient information posted to social media.
Nurses, technicians and other healthcare workers are often the culprits, with information and photos originating from physician offices, hospitals, nursing homes, and other healthcare facilities.
Last year, reports co-published by ProPublica and the Washington Post revealed startling examples of abuses, including some patients exposed naked on SnapChat and other platforms.
In a case reported last month by USA Today, a New York nurse took photos of an unconscious patient’s penis, and shared them with co-workers. The nurse initially faced a felony charge, but agreed to give up her nursing license for a reduced sentence.
Pedagogy’s new course coincides with the start of long-awaited federal audits under the Health Insurance Portability and Accountability Act (HIPAA). Meanwhile, in a 2016 survey co-sponsored by the nonprofit Health Care Compliance Association, participating healthcare providers ranked social media as their #1 compliance concern.
The new course is authored by Diane Evans, Publisher of Akron, Ohio-based MyHIPAAGuide.com, a news and information service to help healthcare providers stay compliance with HIPAA rules.
Course participants will receive instruction in how:
Patient information really does end up on social media
Daily carelessness threatens the privacy patient health information, and exposes providers to liabilities
Even simple risk-mitigation practices help safeguarding patient information
A culture of vigilance can prevent bad practices that can lead to breaches
Long-awaited federal audits are finally here under the the Health Insurance Portability and Accountability Act (HIPAA). The shift toward proactive enforcement of patient privacy laws sends a clear message: Healthcare providers of all sizes, and their business associates, must be accountable for securing patient information – or they can face fines under HIPAA.
While some providers may groan, the times require serious protection against very real threats to patient privacy, ranging from cybercrime to careless lapses. Increasingly, government and media reports reveal atrocities, such as embarrassing patient images posted to social media, often the result of healthcare workers snapping photos and sharing them.
Such incidents are not only violate patients’ rights, but also human dignity.
Ideally, federal audits will heightened awareness of risks and the importance of a culture of vigilance in places where it is lacking. Even simple precautions and good daily habits can prevent abuses.
The challenge is to create a mindset of high respect for privacy, and to enforce policies and procedures that reduce the chance of violations.
Think of the senselessness, and the consequences of a case reported last month by USA Today. A New York nurse took photos of an unconscious patient’s penis, and the shared the photos with co-workers. The nurse initially faced a felony charge, but agreed to give up her nursing license for a reduced sentence. Nursing homes are particularly ripe for similar types of abuses involving nakedness, as ProPublica has reported.
Incidents are far from isolated. Earlier this year, the National Council of State Boards of Nursing (NCSBN) released survey findings, indicating 48% of responding nursing boards (33 in total) faced social media challenges. In some cases, complaints related to images of wounds and procedures photographed on mobile phones and then shared.
Even for smaller practices, HIPAA settlements and fines can be steep. Last September, for instance, a group of radiology oncologists in Indiana agreed to pay $750,000, resulting from the theft of a laptop bag from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former cancer patients. The government’s investigation found that the medical group had not conducted a proper risk analysis.
The government determined that a proper device and media-control policy could have educated employees on their responsibilities for safeguarding devices with patient information.
In 2016, the audit program will focus on a review of policies and procedures followed by healthcare providers and their business associates.
Nursing home administrators should be especially careful in limiting the use of personal devices among employees; HIPAA rules require adherence to specific policies and procedures to reduce the risk of breaches.
Read reports in ProPublica on the social media abuses happening within nursing care facilities.
On March 21, the federal Office for Civil rights (OCR) announced the start of the next phase of audits under the Health Insurance Portability and Accountability Act (HIPAA). Read the OCR's announcement here.
In sum, audits will be extend to all types and sizes of organizations required to follow HIPAA rules, including business associates of healthcare providers. The 2016 audits will primarily be desk audits, although some on-site visits will be included.
Those selected for an audit will receive an email, asking for contact information. The contact person or office will then receive a pre-audit questionnaire.
Here is something especially important to know:
“Communications from OCR will be sent via email and may be incorrectly classified as spam,’’ the agency said in its announcement. “If your entity’s spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR.”
MyHIPAAGuide.com subscribers may click here for detailed information including:
By Martin Stranges, President Pittsburgh Computer Solutions
IT security in an office environment can be a very complex issue to tackle. The flow in a busy practice makes matters worse. Simple and effective steps can be taken to eliminate some of the burden.
Get a junk email address. There’s a lot of free services available and some have great functionality like shareable calendars you may use. We all have to subscribe or sign up for something that requires a contact address. In a lot of cases, these addresses are sold or rented to solicitors. Let this be the catch all for the marketing material and potential ransomware coming your way. Your professional inbox will thank you.
Email attachments and the office staff that opens them have been the bane of IT for decades. Viral threats started out as nuisance or joke programs that were fairly easy to remedy and didn’t usually cause excessive down time. Currently we’re seeing a new breed of programs that encrypt your data and hold it hostage until a ransom is paid. There’s been documented cases where a covered entity had to pay a $16,000 ransom to decrypt their own data. Two easy steps to help avoid the impact of ransomware are:
Train your staff not to open email attachments unless they’re absolutely sure it came from a reliable source. Call IT if there’s any question to ensure the email is genuine. We’re always happy to get the call before a problem starts.
Since accidents happen, have at least two backups of your data in place. One of them should be cloud based that does revisions or periodic snapshots of your systems.
Having an antivirus in place is a no brainer. We see a lot of practice workstations with a mix of factory installed antiviruses. Some working, some expired and others that just won’t update on their own. Invest in a cloud managed business class antivirus. You’ll know exactly what’s going on across the entire organization from the dashboard at a glance. It’s also less expensive than paying one at a time for the wrong solution.
Have practice email or info on your mobile phone? Lock it. Lost or stolen phones are one of the biggest threats to your office security. Any newer smartphone with the latest updates is capable of encryption without added software. If your phone ends up out of your control, it’ll be useless to anyone that doesn’t have your password.
Ever consider digital faxing? Over the years it has become a more affordable and secure option over paper faxing. It’s actually less expensive to have a digital fax line than a phone line that attaches to a fax machine. Your faxes will show up in an email and not sit on your fax machine for hours until someone notices it arrived. They’re also HIPAA compliant, but make sure you sign up for the HIPAA plan when placing your order. Imagine the cost and time savings when you’re not buying toner or paper and you can even send secure faxes right from your desktop, phone or other mobile device.
Take advantage of patches and updates on your phone, mobile devices and workstations. They’re free and the majority of them enhance security. Some devices allow for automatic updates which will save time as well as ensure you’re always as protected as possible.
A little bit of time and effort goes a long way to securing what you’ve worked so hard to create.
Pittsburgh Computer Solutions offers complete IT solutions to keep healthcare providers compliant with privacy and security rules.
In a recent survey, co-sponsored by the Health Care Compliance Association, “social media” emerged as the No. 1 risk concern among respondents in healthcare.
In truth, patient information can and does end up on Facebook and on other Internet sites. In reviewing cases published in major media and by the federal government, the culprits are often those working within healthcare.
Consider a 2015 report published in the Journal of Nursing Regulation:
Referencing a 2014 survey, the National Council of State Boards of Nursing (NCSBN) revealed that 48% of responding Boards of Nursing (33 in number) face challenges with social media. Several boards in the survey reported images of wounds or procedures being shared across social media after being photographed on mobile phones.
NCSBA has called for greater awareness and vigilance to stop this kind of activity. In a published guide on uses of social media, SCSBA reminds nurses and others of the blanket responsibility to safeguard any and all patient information, and to limit disclosures only to members of a health care team who need to know for the purpose of providing care to an individual.
NCSBA has recommended numerous guidelines for nurses, which could also pertain to others. Examples include:
Do not transmit any patient-related image via any electronic media
Do not share, post or otherwise disseminate any information, including images, about a patient
Remember, too, that patient information can spread in unanticipated ways.
In one example, the Tampa Bay Times reported on a nurse who snooped out medical records of her nephew's partner, and learned that she had delivered a baby and had put the child up for adoption. The nurse gave a printout to another family member, and the news came out at a family funeral. Anyone who heard could have posted or Tweeted.
In an older case reported by the federal government, a different, less obvious kind of improper exposure is worth noting, because it illustrates how breaches can happen even in the course of normal business. In this case, a physical therapy provider agreed to a $25,000 settlement after posting patient testimonials to its website. The testimonials included full names and photographs, but the provider had not obtained valid, HIPAA-compliant authorizations. Enough said to beware.
Ultimately, the work of safeguarding patient information is about creating a culture in which daily habits put a priority on privacy and security.
Risk assessment, as required under HIPAA rules, is essential. In a healthcare organization, that means examining of how, where and under what circumstances information might be improperly seen, heard, accessed or compromised. The task is to go step by step, in anticipating potential threats, implementing solutions and then putting precautionary habits into daily practice.
In a culture of vigilance, the safeguarding of patient information is top-of-mind. In such a culture, it would be unthinkable to hand a relative a printout containing patient information.
By contrast, a culture of laxity invites breaches. And with the prevalence of social media, laxity opens an avenue for fast spread of patient information to the masses.
The way to protect against a social media nightmare: Strive to create a dream team in your midst - where those with access to patient information guard it jealously from any possible abuse. It is impossible to eliminate risk altogether. But a culture of vigilance closes off many of the access points that result in breaches in general and pathways to social media.
This year, the federal government plans to begin audits to ensure compliance with privacy and security provisions under the Health Insurance Portability and Accountability Act (HIPAA). The audits signal a shift to proactive enforcement of HIPAA rules, in contrast to the past, when the feds typically reacted to complaints of alleged breaches.
If you are a healthcare provider, far from the elaborate schemes of hackers, your greatest threat is more likely to be in carelessness or neglect. In recent years, the top two issues in the most serious HIPAA investigations related to:
Impermissible uses and disclosures of patient information
Often, violations go down to basic lapses in judgment, such as leaving computers containing patient information in unlocked rooms. Here are a few examples, illustrating the type of routine behaviors that lead to investigations:
In one case involving the Indiana-based Parkview Health System, a physician complained that as she was transitioning to retirement, Parkview employees left 71 cardboard boxes of patient health records unattended in her driveway in a high-traffic area. Parkview settled the case for $800,000.
In another case, Lahey Hospital and Medical Center, affiliated with Tufts Medical School, settled potential violations for $850,000 after a laptop was stolen from an unlocked treatment room. The feds reported evidence of widespread non-compliance with the HIPAA rules, including failure to conduct thorough risk assessments.
Aside from these more high profile cases, several lesser cases illustrate the everyday situations that spark investigations and lead to corrective action plans. Consider:
A mental health center failed to provide a notice of privacy practices to a father or his minor daughter, who was a patient at the center.
A private practice failed to provide a patient access to his medical records.
After treating a patient injured in a sporting accident, a hospital released the patient’s skull x-ray and other detailed information to a local newspaper. The hospital argued it acted in the public interest, but the feds said the disclosures did not meet the appropriate standard.
A staff member of a medical practice discussed HIV testing procedures with a patient in a waiting room, and by doing so, disclosed protected health information to others in the room. At this same practice, computer screens displaying patient information were easily visible to patients.
The lesson: Tend to the details, and create a culture that values the protection of patient privacy. It’s a mindset more than anything. The idea of patient information in open view on a computer screen, or on paper, should be as unthinkable as leaving the office doors wide open overnight.
After a recent workshop presentation, a woman asked me to explain the difference between security and privacy. In a medical practice, security relates to keeping patient records in locked rooms, for example, or contingency plans in the event of a natural disaster or power outage.
Security and privacy are inter-related, but privacy is more personal. In an environment where privacy is respected, no one would imagine chatting up HIV testing procedures in a waiting room where others could hear.
Of course, protect against hackers and other potential assaults from the outside. But look carefully around your workplace, and think hard about the real threats as a result of lax procedures. If someone walking by a work station can glimpse the protected health information of a patient, privacy has been violated. Worse yet, what’s to prevent that person from sharing this new found information on social media? Nothing. And if that happens, expect the HIPAA police.
The special healthcare edition of Crain's Cleveland discusses the help available to doctors through MyHIPAAGuide.com.
The recently launched news & information service covers compliance, including updates in rules; preparation for coming audits; patient education; Meaningful Use reporting and more. Through MyHIPAAGuide.com, a seasoned journalist shows a clear path through the government maze of rules and reporting requirements.
By Diane Evans
If you haven’t been following HIPAA news lately, you may have missed some interesting stories.
One example: In a precedent-setting case, a 64-year-old Massachusetts physician now faces federal charges for allegedly taking money and meals from the drug company Warner Chilcott, with one charge relating to a criminal violation of patient privacy under the Health Insurance Portability and Accountability Act (HIPAA).
A blog post published on the website of the National Law Review notes that the case should be of great interest to the health care community for the “new twist’’ of a criminal charge under HIPAA. You have to wonder: Is HIPAA the new tax evasion fallback for federal investigators?
In another recent case, an affiliate organization of the University of the Washington Medical Center agreed to a $750,000 settlement, as a result of an employee downloading an email attachment that contained malicious malware. The feds concluded that electronic Protected Health Information (e-PHI) was comprised due to the lack of a proper risk assessment and risk mitigation.
With federal audits set to begin in 2016, and with uniform reporting rules for meaningful use of electronic records recently announced, are you ready?
MyHIPAAGuide.com can help. MyHIPAAGuide.com is a news and information service offering:
News updates on HIPAA rules;
Forum boards, where you can compare notes on HIPAA compliance and share experiences – good or bad – different kinds of software and equipment;
A catalog of 40+ carefully-picked federal government resources, including tutorials, templates and how-to videos, organized around a 10-step compliance plan published by the U.S. Department of Health and Human Services.
The 10-step plan, available for public viewing on MyHIPAAGuide.com, organizes compliance around an easy checklist of things you need to do. For example, if you are still using old Patient Privacy Notices, it is likely you will need to upgrade to new consent notices designed to achieve what is called “meaningful consent.” You’ll also want to make sure your Business Associate Agreements (BAAs) are in place, and updated to reflect security precautions for ePHI.
Resources available on MyHIPAAGuide.com include:
Patient Privacy Notices to help achieve meaningful consent, available both in English and Spanish
Short videos that capture the essence of a risk assessment
Self-evaluation tools to help guide organizations large and small
Sample provisions for Business Associate Agreements (BAA)
Guides that address specific issues, such as recommendations for safely reporting patient test results
Risk analysis tools, with both Windows and iPad versions
MyHIPAA Guide helps HIPAA-covered organizations prepare for financial incentives from Medicare and Medicaid -- and avoid penalties.
MyHIPAAGuide.com is published by M.E.D. Media Mart LLC, based in Akron, Ohio.
By Diane Evans
On the road to healthcare reform, let’s not forget the basics: Americans still need affordable, fast access to doctors. By steamrolling too much change at one time, the risk is that basic needs will go unmet amid reforms that aren’t even widely understood and that ultimately will result in patient care determined by government-approved treatment plans.
It is important that average Americans be aware of what’s happening, and what’s at stake, while there is still time to preserve stability in our current healthcare system as it transitions to high technology.
A major problem is that too much of healthcare reform is being planned and executed in a vacuum – apart from important considerations such as the potential for mass retirements of aging doctors, leading to severe shortages and longer wait times for patients, all at a time of increased demand on the system due to aging baby boomers. Curiously, doctors must focus now on entering patient data into electronic devices, when by the federal government’s own timetable, the necessary technology to accomplish healthcare reform won’t be in place until 2024.
One of the less publicized priorities of the reform push: A plan to move toward what the government calls “population health,” which would marginalize the discretion of doctors in favor of formulas to determine care dispensed to patients. If your eyes glazed over that last sentence, read it again.
With population health, patient care – and payer reimbursement – would be determined by statistical averages based on data analysis. The data that doctors must report to the government would be used to determine standard forms of treatment that qualifies for reimbursement.
That is a concept far beyond the more widely understood goals, such as developing technology to easily share patient health records among providers, say from doctor offices to hospitals.
Population health holds out the ideal that data analysis could identify treatments and procedures that become standardized care methods for Americans. If accomplished through transparent and meaningful data analysis, best practices could indeed emerge that would improve overall healthcare for all. But this is a huge undertaking for the nation, and it should not be coupled with the development of an information superhighway for the sharing of healthcare records from one healthcare provider to another.
Probably under any circumstances, the goal of building an information highway for health records, plus creating standardized, data-driven patient care, would be unrealistic to achieve simultaneously.
However, coupled with other disrupting factors, the stage is set for chaos. Consider:
Physicians and other are working with clunky Electronic Records Systems that were not built for reporting on patient outcomes. In a letter to the federal government earlier this year, 36 medical associations called attention to the poor quality of EHR systems, with functionality issues exacerbated by new, unanticipated demands on how the systems are being used. The letter also pointed to inadequate government oversight to ensure the safety of patient information.
Changes in Medicare reimbursements have increased financial pressure on doctors, especially in primary care, leaving less money for investment in new technology.
With one in four doctors over age 60, mass retirements could drain the system of needed manpower. In a 2014 survey of 20,000 physicians by The Physicians Foundation, 39 percent indicated plans to accelerate retirement.
Increased wait times to see a doctor, as reported by the New York Times and others, are already becoming a new norm, and not just in traditionally under-served rural areas. One study found weeks of waiting in some cities.
Insurance plan deductibles are rising at a faster pace than wages, as documented in an analysis by the Kaiser Family Foundation. This makes healthcare less affordable to average people.
Do we need healthcare reform? Absolutely.Numerous studies show the United States outspending other developed nations on healthcare, but with inferior outcomes. In addition, as dentists leave teeth cleaning to hygienists, some patient care really should be dispensed by nurse practitioners and assistants. The question is how we migrate to a better system during a period when necessary technology is still a long way off.
At the very least, the debate needs to ramp up, and voices large and small need to be heard. Last month, the American Medical Association (AMA) sponsored a tweet fest on this issue. In inviting participation to chat about a “the physician’s role in the evolution of digital medicine,” an AMA blog post described the “potential impact of digital technology on healthcare (as) simultaneously undeniable and unexplainable.
True, we can’t foresee the future of technology. But as a nation, we do need to understand and debate the potential impact of regulations now being developed.
MYHIPAA Guide, a news and information service, is hosting a forum discussion through the Dec. 15 deadline, open to all who would like to share insights on key points that should be conveyed to government regulators. If participants need more information, we will do the research and report back on the forum board. Professional associations, we invite you, your leaders and members to join.
Diane Evans is Publisher of MyHIPAAGuide.com and a former editorial writer and columnist for the Akron Beacon Journal.
Fallout of Drug Company Bust: 64-year-old Doctor Faces Charges, Whistleblowers share $22.9 million
By Diane Evans, Publisher, MyHIPAA Guide – Nov. 6, 2015
The story of pharmaceutical company Warner Chilcott reads like a racketeering case. It also points to the future potential of patient privacy laws as a hammer in criminal cases, effecting local physicians as well as large providers.
In a precedent-setting case, a Massachusetts physician now faces federal charges for allegedly taking money and meals from the drug company Warner Chilcott, with one charge relating to a criminal violation of patient privacy under the Health Insurance Portability and Accountability Act (HIPAA).
Last month, Warner Chilcott pleaded guilty to health care fraud and agreed to pay $125 million resulting from the illegal promotion of its drug brands. A blog post, published Nov. 5 on the website of the National Law Review, noted that the case should be of great interest to the health care community for the “new twist’’ of a criminal charge under HIPAA. “These HIPAA violations could result in prison sentences, significant fines and exclusion from the Medicare program,” the post stated.
According to the federal indictment, Rita Luthra, a physician in Longmeadow, Mass., received $23,500 in 2010 and 2011 to prescribe the osteoporosis drugs Actonel and Atelvia, manufactured by Warner Chilcott. On at least 31 occasions, Warner Chilcott sales representatives allegedly brought food into Luthra’s medical office for Luthra and her staff, and paid Luthra $750 to talk with her for 25-30 minutes while she ate.
In addition, Luthra allegedly allowed a Warner Chilcott sales representative to access protected health information in her patient’s medical files in order to submit prior authorizations for Atelvia.
“Doctors’ medical judgment should be based on what is best for the patient, and not clouded by expensive meals and other pharmaceutical company kickbacks,” said U.S. Attorney Carmen M. Ortiz of the District of Massachusetts, in an an Oct. 29 statement.
According to allegations:
Warner Chilcott sales reps, at the direction of company managers, gave money, meals and other remuneration tied to so-called “Medical Education Events.” These events, often at expensive restaurants, became a vehicle for paying physicians for prescribing drugs sold by Warner Chilcott. The company enlisted high-prescribing physicians as “speakers,” even when they did not actually speak about any clinical topics. In some instances, Warner Chilcott informed “speakers” that they would not be paid for subsequent events unless they prescribed an increased volume of the company’s drug brands.
Under the terms of the plea agreement, Warner Chilcott will pay a criminal fine of $22.94 million.
Under a civil settlement agreement, the company will pay $102.06 million to the federal government and states to resolve claims. The civil settlement relates to allegations that Warner Chilcott violated the federal Anti-Kickback Statute by making illegal payments to prescribing physicians in connection with the so-called “Medical Education Events” and speaker programs.
The civil settlement resolves a lawsuit filed under whistleblower provisions of the False Claims Act, under which private individuals can sue on behalf of the government for false claims and share in any recovery. As part of the settlement, whistleblowers will receive about $22.9 million from the federal share of the civil recovery.
Government efforts to prevent health care fraud are well documented, especially through the work of the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative, started in 2009. Now the Warner Chilcott case adds HIPAA to the toolkit of criminal enforcement.
Remember, Al Capone didn’t go down for organizing the St. Valentine’s Day Massacre. He went to prison in 1931 for something far less: Tax evasion.
AKRON, Ohio – November 3, 2015 -- For the first time, a low-cost, online service, at www.MyHIPAAGuide.com, gives healthcare providers direct access to a library of federal government toolkits, videos, games and tutorials designed to help achieve compliance with updated HIPAA Privacy and Security Rules.
The new service can benefit organizations of all sizes, but can be especially helpful to rural organizations and other small- and medium-size providers facing government reporting requirements for the first time. MyHIPAA Guide includes:
Whether it's Facebook, Twitter, Instagram or something else, here's a simple way to think of social media: It is word-of-mouth communication empowered by the Internet.
Previously, word-of-mouth spread mainly in person or over the telephone.
But now the Internet enables one person's voice to reverberate throughout a community or even around the globe. That's not to say everyone's message actually reaches a wide audience. Hardly. For those in heathcare, if you want your message to reach a desired audience, a good exercise is to think about exactly how that might happen. Here are a few possible scenarios:
Let's say your hospital or medical practice has collected email addresses from patients who agree to receive email announcements or newsletters from your office. You now have a subscriber list. An email then goes out, announcing a new internist on staff. Someone who receives this information forwards the annoucement to a neighbor who just moved into town and needs a physician. "Hearing" about you, the neighbor calls for an appointment.