Social media offers many benefits for health care organizations because it allows interaction with patients and others. It offers education, and services. As a result, it is an essential communication and marketing tool and part of strategic marketing plans. Due to this organizations turn to social media to communicate with their employees. Unfortunately HIPAA and Social Media can be problematical.
Authorization to use PHI
It is possible to violate HIPAA Rules and patient privacy while using social media, if not managed correctly. Due to this it is important for health care organizations to disclose protected health information carefully. An organization must do so only with patient authorization for interviews, photographs and marketing communications.
Media Posts May Risk Privacy
Posts of PHI done by employees will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts are not a permissible use or disclosure of PHI. The ability to post simultaneously in several platforms increases the risk for an organization. Remember that to de-identify PHI, all 18 identifiers must be removed. There must also be low risk it could be used to identify the patient. Facial images, and other identifiers such as tattoos must also be removed. Learn more.
Preventing HIPAA Privacy Risk
Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment. Many organizations deal with the issue through development of a social media use policy. They also monitor social media activity. If not addressed, HIPAA and Social Media can be problematical.
Permitted uses and disclosures of PHI are possible for a number of different purposes within the healthcare sector. By following these guidelines, an organization may stay in compliance with HIPAA’s rules and be able to share protected health information. An organization must recognize these rules. All employees of an organization that acts as a covered entity or business associate must be aware of these guidelines. It is always permitted to use and disclose PHI for treatment, payment and health care operations.
Sharing with Health Care Providers
Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI. For example, it is permissible to share protected health information with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.
Sharing for Care Coordination
We now see the need to share data with health care providers for purposes of care coordination. This has expanded the “permitted uses and disclosures of PHI.” This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan. A health care provider may disclose PHI to another for this treatment purposes without patient authorization. This information must be shared with all employees of the organization.
By following these simple guidelines organizations will be able to stay in compliance with HIPAA as they manage their PHI. One must also realize that there are other ways that one may safely share PHI without having to obtain permission. An example would be if there is an order from a court or for law enforcement purposes.
An authorization to disclose Protected Health Information is frequently required from the patient in many circumstances. No authorization is needed if PHI is used for treatment, payment or healthcare operation purposes. It is also not required when another law requires the use or disclosure. It is important for all covered entities and business associates to know the exceptions.
Authorization to Disclose PHI Required
There are many circumstances when an authorization to disclose PHI is required. This should be obtained directly from the patient or their personal representative.
Disclosure to an attorney’s office, and to a life or disability insurance company is an example of when an authorization is needed.
An Authorization must be obtained to disclose medical records in certain circumstances. First, one is not required when a patient consents to participate in a research project. Secondly, it is not required when they request a transfer of medical records to another medical providers office.
Authorization Not Required
When there is a court order signed by a judge from a court with jurisdiction there is no need for an authorization to disclose Protected Health Information. A report of an infectious disease required by state law also does not require authorization. No authorization is required if PHI is disclosed for research if an IRB (Institutional Review Board) grants a waiver of authorization.
Requirements Permitting Use of Protected Health Information
The HIPAA compliant authorization permitting use of protected health information must contain certain elements. It is important to not forget to look at state law requirements. There are many states with laws that are more protective of PHI than the Federal HIPAA Rules. Organizations will require additional elements added to the authorization. It is necessary for the covered entity and/or business associate to determine which is most restrictive.
This is your HIPAA ABCs brought to you by HIPAA Associates. Contact us for more information on this important topic. Follow us on Facebook and Twitter.
To use the PHI of an individual one must often obtain an authorization. Authorization and the HIPAA Rule is very specific. The use of PHI for treatment, payment or healthcare operation purposes does not require authorization. In addition if there are specific laws an authorization is not required.
An authorization for disclosure to an attorney’s office, and to a life or disability insurance company is another example.
To disclose medical records when a patient consents to participate in a research project and when they request a transfer of medical records to another medical providers office an entity must obtain authorization.
A request with a court order signed by a judge from a court with jurisdiction will not require authorization. To report an infectious disease according to state law does not require authorization. To disclose PHI for research, if an IRB (Institutional Review Board) grants a waiver of authorization does not require authorization.
State Law is Important
The HIPAA compliant authorization must contain certain elements, but don’t forget to look at state law requirements. There are many states with laws that are more protective of PHI than the Federal HIPAA Rules and they will require additional elements added to the authorization.
Using cybersecurity to protect PHI is a key feature of HIPAA. Electronic protected health care information or EPHI is at increased risk from many sources:
Foreign hackers looking for data to sell – usually on the dark web
Ransomware attacks that lock up data until a ransom payment is received
Phishing schemes that lure the user into clicking a link or opening an attachment to deploy malicious software; and
Spear phishing –a targeted attack on a specific person that appears to come from a legitimate source usually instructing a transfer of funds.
What You Can Do
In order to safeguard EPHI against threats:
Firstly, know how to spot phishing emails.
Secondly, use strong passwords, two factor authentication and encryption.
Finally, have policies, procedures and safeguards in place to protect EPHI and Know who to report an incident to in your organization.
Prepare for Cyberattacks
In the case of a cyberattack or similar emergency an entity must:
Execute it response and mitigation procedures and contingency plans.
Report the time to other law enforcement agencies.
Should report all cyber threat indicators to federal and information-sharing and analysis organizations.
Finally, it must report the breach to OCR as soon as possible, but not later than 60 days after the discovery of a breach affecting 500 or more individuals.
Most importantly, OCR considers all mitigation efforts taken by the entity during in any particular breach investigation. For instance, such efforts include voluntary sharing of breach-related information with the appropriate agencies.
The Office for Civil Rights or OCR with HIPAA oversight has not produced the long-awaited guidance on texting protected health information. Finally, at a Health Information Management Conference in March the OCR director said healthcare providers could text message their patients with PHI. However, the provider must warn the patient that it is not secure. In addition, the provider must obtain and document patient authorization to receive texts.
Recent Guidance on Sharing PHI Safely
The Centers for Medicare and Medicaid Services or CMS oversees the Conditions of Participation and Conditions for Coverage. CMS issued a memo on healthcare provider texting protected health information safely on December the 28th of 2017. Most importantly the takeaways are:
Texting Protected Health Information
CMS permits texting of patient information among members of the health care team. Above all, the platform must be secure and encrypted. As a result, it minimizes the risks to patient privacy and confidentiality. Most importantly, HIPAA regulations, the Conditions of Participation and the Condition for Coverage require this as a safeguard.
Texting Patient Orders
Regardless of the platform, CMS prohibits the practice of texting of patient orders. Above all, the provider is not in compliance with the Conditions of Participation or Conditions for Coverage if he or she texts patient orders to a member of the care team.
CPOE for Orders
Most importantly, providers should opt for the use of Computerized Provider Order Entry (CPOE) as the preferred method of order entry. CMS insists that a physician or Licensed Independent Practitioner (LIP) should enter orders into the medical record via a handwritten order or via CPOE. When using this system, orders are immediately downloaded into the provider’s electronic health records (EHR). Moreover, this method is preferred as the order would be dated, timed, authenticated and promptly placed in the medical record.
It is critical for all providers to understand and follow these new guidelines from CMS on Texting Protected Health Information among Healthcare Providers.
Keep in mind that the purpose of HIPAA is to protect PHI. In addition, it assists treatment providers in caring for the patient without requiring patient authorization to share their PHI. For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. As a result, PHI can be shared for treatment electronically and must be in a manner that is compliant with the Security Rule. The disclosure of PHI may be made also for payment purposes as with a billing company. Finally the PHI may be shared for healthcare operation activities.
The OCR ordered the University of Texas MD Anderson Cancer Center to pay $4.3 million in penalties for HIPAA violations after half-hearted and incomplete efforts at encryption.
Judgement Against MD Anderson
“A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. Moreover this is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.”
Encryption Policies Ignored
The Office of Civil Rights (OCR) ordered the University of Texas MD Anderson Cancer Center (MD Anderson) to pay $4,348,000. These were civil money penalties for HIPAA violations because it did not follow its own encryption policies or the HIPAA Rules.
Entities of MD Anderson lost an unencrypted laptop and two flash drives during 2012 and 2013 . The devices contained the electronic personal health information of over 33,500 individuals. Consequently this lack of technical safeguards influenced greatly the decision of OCR.
OCR Serious About Lack of Technical Safeguards
Despite creating policies for encryption, the center failed to follow these or to quickly pursue its implementation after the 2012 and 2013 breaches. As a result it was clear to the courts the organization had failed to follow the HIPAA rule after the investigation.
“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. The $4.3 million is the fourth largest amount ever awarded to the OCR.
Most importantly, it is important to know that having security policies is not sufficient. An organization must observe and follow these policies to protect patients and the entity. Consequently, all organizations must routinely review their plan, train their employees on HIPAA and monitor that everyone follows the plan.
The Office of Civil Rights reports that healthcare data breaches increased continuously over the last few months of this year. For example, there were a total of 41 breaches in April affecting a greater number of people than previous months. The breaches affected a total of 894,874 records. Unfortunately, over the years since 2009, the number of breaches of over 500 records increased from 18 to 365. Meanwhile, 2018 was the worst in number of breaches but only the fourth in total numbers.
Unauthorized Access a Cause of Breaches
The healthcare industry continues to be a big target for hackers as healthcare data breaches increase. In 2018 there was 161% more healthcare records involved. Unauthorized access/disclosure incidents was one of the biggest cause of breaches. The mean breach size of unauthorized access increased by 115% percent. Fortunately, loss, theft and improper disposal incidents appear to have all declined. Despite the bad news it is likely that cyber security defenses have been effective in preventing hackers from gaining access to data.
Phishing is a Risk
Most importantly, the data from 2018 highlights the importance of increasing email security in addition to training employees. One main cause of healthcare breaches in the month of April was due to phishing attacks. For instance, in April nine cases of successful phishing attack related breaches were reported. Other causes are unauthorized email access and misdirected emails. In conclusion, it will be important to improve technology to prevent the delivery of malicious emails to inboxes of healthcare workers.
Exposed PHI Remains a Problem
In short, it appears that 75% of breaches affected healthcare providers, 14% health plans and 11% business associates of covered entities. Most importantly, the breaches associated with business associates were the most severe and represented 42% of all exposed records.
It is in the best interest of covered entities and business associate to promote safeguards to protect PHI and train employees on this process.
The potential violations stemmed from five EPHI breaches at five separate FMCNA owned covered entities. As a result, the investigation uncovered FMCNA’s failure to perform a risk analysis at each of the five locations. OCR’s investigation revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis. Consequently, they did not address potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
Settle Potential HIPAA Violations
In addition to the $3.5 million settlement the OCR ordered FMCNA to:
complete a risk analysis and risk management plan,
revise policies and procedures on device and media controls as well as facility access controls,
and educate its workforce members on its policies and procedures.
Failure to Perform a Risk Analysis
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”
Certainly, this is a good example for compliant organizations as it clearly shows the risk one takes when not following the guidelines set in the HIPAA rule. Most importantly, this is an excellent reminder that the failure to perform a risk analysis can incur major penalties. Above all the Risk Analysis must be performed, used to address gaps, and updated on a regular basis.