Many breaches of Protected Health Information are a serious matter. A breach is an impermissible use or disclosure of protected health information or PHI. Consequently, it compromises privacy or security of PHI. It is presumed to be a breach unless certain criteria are met. The covered entity or business associate must demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:
Firstly, the nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
Secondly, the unauthorized person to whom the disclosure was made.
Third, whether the PHI was acquired or viewed.
Finally, the extent to which the risk to the patient was mitigated.
There are many forms of Breaches of Protected Health Information. Some examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person. As a result, all entities that handle paper PHI must be aware of how important it is when sharing or disposing of this information. It is not uncommon for patients to receive the discharge summary of other patients or to see old medical records simply thrown away in the trash.
Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site. Most importantly, all organizations must create a process by which electronic PHI is protected on the cloud.
Consequently all of these have been the subject of Office for Civil Rights penalties.
Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.
It is important for all covered entities and business associates to review their policies. As A result they will be able to better protect PHI whether it is paper, electronic or spoken.
Please contact us, for more information about breaches or about HIPAA. Follow us on Facebook or Twitter.
Social media offers many benefits for health care organizations because it allows interaction with patients and others. It offers education, and services. As a result, it is an essential communication and marketing tool and part of strategic marketing plans. Due to this organizations turn to social media to communicate with their employees. Unfortunately HIPAA and Social Media can be problematical.
Authorization to use PHI
It is possible to violate HIPAA Rules and patient privacy while using social media, if not managed correctly. Due to this it is important for health care organizations to disclose protected health information carefully. An organization must do so only with patient authorization for interviews, photographs and marketing communications.
Media Posts May Risk Privacy
Posts of PHI done by employees will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts are not a permissible use or disclosure of PHI. The ability to post simultaneously in several platforms increases the risk for an organization. Remember that to de-identify PHI, all 18 identifiers must be removed. There must also be low risk it could be used to identify the patient. Facial images, and other identifiers such as tattoos must also be removed. Learn more.
Preventing HIPAA Privacy Risk
Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment. Many organizations deal with the issue through development of a social media use policy. They also monitor social media activity. If not addressed, HIPAA and Social Media can be problematical.
Permitted uses and disclosures of PHI are possible for a number of different purposes within the healthcare sector. By following these guidelines, an organization may stay in compliance with HIPAA’s rules and be able to share protected health information. An organization must recognize these rules. All employees of an organization that acts as a covered entity or business associate must be aware of these guidelines. It is always permitted to use and disclose PHI for treatment, payment and health care operations.
Sharing with Health Care Providers
Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI. For example, it is permissible to share protected health information with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.
Sharing for Care Coordination
We now see the need to share data with health care providers for purposes of care coordination. This has expanded the “permitted uses and disclosures of PHI.” This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan. A health care provider may disclose PHI to another for this treatment purposes without patient authorization. This information must be shared with all employees of the organization.
By following these simple guidelines organizations will be able to stay in compliance with HIPAA as they manage their PHI. One must also realize that there are other ways that one may safely share PHI without having to obtain permission. An example would be if there is an order from a court or for law enforcement purposes.
Keep in mind that the purpose of HIPAA is to protect PHI. In addition, it assists treatment providers in caring for the patient without requiring patient authorization to share their PHI. For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. As a result, PHI can be shared for treatment electronically and must be in a manner that is compliant with the Security Rule. The disclosure of PHI may be made also for payment purposes as with a billing company. Finally the PHI may be shared for healthcare operation activities.