The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used.
Death of Celebrities and HIPAA
With the recent deaths of several celebrity musicians, media outlets have an ever-growing source of news and information; some of which is dug up in less than lawful ways. Unfortunately this media creates HIPAA breaches.
HIPAA Cases In Point
The UCLA Medical Center recently had to pay $865,500 in fines for the negligence of patient (mostly celebrity) health information. These breaches constitute a serious risk for hospitals and health centers because the information leaks are often times easily traceable. The demand for media to obtain this information, even through breaches, is high considering the public craves information on the lives of their favorite celebrities but the repercussions can be great.
Employees can be surprisingly negligent with celebrities’ sensitive information. Workers have caused breaches at major hospitals. Cedars-Sinai Hospital in Los Angeles fired five employees and a student assistant in 2013. The hospital traced a breach of Kim Kardashian’s pregnancy information back to them.
Prince’s Medical Information Leak
This issue becomes relevant today considering the recent passing of Prince in April. His health was relatively fine before, and his death came as a shock to many. His death was a great mystery too many. TMZ reported Prince’s medical condition before any official public health announcements. Once again media creates HIPAA breaches.
HIPAA does not apply to TMZ. An employee of the hospital leaked the information. Consequently, the hospital is responsible for a breach of private information.
Just recently it was released that Prince died of a drug overdose but sensitive information can easily be leaked and create legal issues for health providers, especially when it makes its rounds in the news.
HIPAA Breaches Result From Media Coverage
While the demand for information and gossip on celebrities is high and can cloud better judgment, celebrities have the same rights as the rest of us under HIPAA. It is important to restrict media access to a hospital or health center and to inform employees of the legal ramifications of a HIPAA breach. Training employees is crucial and HIPAA Associates can make it easier for you through our expertise on HIPAA compliance and training.
Keep your team informed on standards of HIPAA — Contact HIPAA Associates today for your HIPAA training.
New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th. HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.
Pending further rule making HHS will now apply different cumulative annual CMP limits. This will be instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. Consequently HHS will use the new penalty structure until further notice. It is important to understand the new HIPAA Penalties from HHS.
Based on four categories of culpability HHS has provided covered entities and business associates with a whole new structure for penalties. In mostcases the amount of penalty will be significantly less than what we have experienced in the past.
For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.
For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.
Next, willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.
Finally the highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.
This new guidance changes significantly the penalty structure for HIPAA violations and must be considered and understood by covered entities and business associates who deal with protected health information.
To read this important notice on new HIPAA Penalties from HHS, visit the Federal Register using the link below.
A covered entity must have a procedure for filing a HIPAA privacy complaint by individuals regarding its privacy practices or for an alleged violation of the Privacy Rule. Most importantly the Notice of Privacy Practices must contain contact information for the covered entity’s privacy officer and information on how to submit a complaint to the Office for Civil Rights. In addition, an organization must file complaints within 180 days of when you knew the violation occurred.
The privacy officer or designee investigates all complaints involving privacy of protected health information. The organization should maintain records on the complaints and their resolution. The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI. In a filing to the OCR, there should be information about the complainant. There should be details of the complaint and any additional information that might help OCR when reviewing the complaint.
On behalf of the covered entity, the Privacy Officer will respond to inquiries initiated by the Office for Civll Rights as it investigates complaints.
No Retaliation for Filing a Privacy Complaint
Above all an organization must not retaliate for filing a HIPAA privacy complaint under the HIPAA rules. Most importantly, an organization must encourage employees to file a complaint if they feel a violation took place. Finally, an organization must resolve and prevent them from happening again which helps protect the organization. On the other hand, an employee may complain directly to the OCR if retaliatory action occurred.
In conclusion there must be a good process for filing a privacy complaint and there should be not retaliation for doing so.
This is your HIPAA ABCs brought to you by HIPAA Associates. Contact us for more information on this important topic.
Social media offers many benefits for health care organizations because it allows interaction with patients and others. It offers education, and services. As a result, it is an essential communication and marketing tool and part of strategic marketing plans. Due to this organizations turn to social media to communicate with their employees. Unfortunately HIPAA and Social Media can be problematical.
Authorization to use PHI
It is possible to violate HIPAA Rules and patient privacy while using social media, if not managed correctly. Due to this it is important for health care organizations to disclose protected health information carefully. An organization must do so only with patient authorization for interviews, photographs and marketing communications.
Media Posts May Risk Privacy
Posts of PHI done by employees will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts are not a permissible use or disclosure of PHI. The ability to post simultaneously in several platforms increases the risk for an organization. Remember that to de-identify PHI, all 18 identifiers must be removed. There must also be low risk it could be used to identify the patient. Facial images, and other identifiers such as tattoos must also be removed. Learn more.
Preventing HIPAA Privacy Risk
Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment. Many organizations deal with the issue through development of a social media use policy. They also monitor social media activity. If not addressed, HIPAA and Social Media can be problematical.