Articles

Subscribe to Articles

In 1973, President Richard Nixon’s Chief of Staff H.R. Haldeman warned White House Counsel John Dean against talking to prosecutors investigating the growing Watergate scandal, telling him “Once the toothpaste is out of the tube, it’s going to be very hard to get it back in,” and a useful idiom was born. Personal electronic data, including protected health information, once disclosed, can be equally difficult to recapture and contain.

A recent article in Slate entitled You Can’t Clean Up a Data Spill describes the obstacles to effectively remediating a data breach or improper disclosure in the wake of revelations about the breach involving Facebook data and Cambridge Analytica. As author April Glaser stated, “There’s no such thing as a cleanup site for data spills. That’s because when data leaks, it can be duplicated far faster than anyone can mop it up.”

Cambridge Analytica, a British political consulting firm, provided research, data mining and communication services to campaigns including those of Ted Cruz and Donald Trump. The firm claimed to have developed “psychographic” profiles of voters that could predict their personality traits and political leanings. The New York Times reported that the firm had harvested information from the Facebook profiles of over 50 million users without their permission, and a subsequent CNN report estimates the breach may have affected up to 87 million users. The firm’s chief executive has claimed that the data had been deleted when the improper acquisition was brought to their attention two years prior to the Times article. But how much toothpaste is still in circulation, and can anything be done to recover it?

Facebook founder Mark Zuckerberg has told CNN that Cambridge Analytica provided them with a formal certification from the firm that it had deleted all user data acquired through improper means. Unfortunately, even if that is accurate, it cannot address whether the data had been copied or further disclosed prior to such deletion. According to Slate:

Tracking down and searching where that data has gone will be incredibly difficult,” says Sarah Aoun, a digital security specialist and open web fellow at the Mozilla Foundation. “I’m not even sure it would be realistic.” Maybe it would be easier if the data was “watermarked,” meaning there was some tag on the data to indicate it was the Cambridge Analytica–obtained Facebook data. But Facebook didn’t do that, as Zuckerberg explained to Wired, and even if it had, Aoun says that “any identifiable trace relating it back to Facebook can be altered and then changed and could exist in 10 different shapes and forms online or in the hands of anyone.”

The Facebook/Cambridge Analytica breach is a sobering cautionary tale for covered entities and business associates subject to HIPAA who routinely handle large amounts of PHI. Once a breach occurs and is discovered, it may be impossible to definitively account for all data that may have been copied or transmitted. All the more reason to secure the cap on your EHR tube.

In a recent New York Times op-ed piece entitled “How a Bad Law and a Big Mistake Drove My Mentally Ill Son Away,” the father of a young man involuntarily hospitalized under Florida’s Baker Act decries “privacy laws” for limiting his access to information about his son’s whereabouts and care.   If this account is accurate, it highlights the widespread confusion that surrounds  health care providers’ communication with family members.

The article’s author, Norman Ornstein, describes a disturbing incident in which his son Matthew’s landlord reported that Matthew’s behavior was putting himself in danger.  Based on the landlord’s report, which Ornstein later describes as a pretext for removing Matthew from the property, Ornstein and his wife agreed to authorize a 72-hour involuntary commitment under the Florida statute.  They later learned that Matthew had been seized by police and taken to the county mental health facility, where he was held for three days and released.  He reported:

But the staff members wouldn’t let us in. In fact, they said privacy rules meant that they could not even confirm that he was there. … The Baker Act allows 72 hours of involuntary observation to see whether someone is in fact an imminent danger to himself or others. Matthew was not, and after three awful days, he was put in a taxi and sent home. We were not informed when he was released.

Matthew had begun to struggle with mental illness at age 24, but his age at the time is not specified.  Since he was no longer a minor, his parents would not be “personal representatives” with access to all his health information absent a guardianship appointment, power of attorney, or similar process recognized under applicable law.  However, the facility would have been permitted to confirm his admission and general condition under the HIPAA “directory exception,” which states:

(a) Standard: Use and disclosure for facility directories

(1) Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may:

(i) Use the following protected health information to maintain a directory of individuals in its facility:

(A) The individual’s name;

(B) The individual’s location in the covered health care provider’s facility;

(C) The individual’s condition described in general terms that does not communicate specific medical information about the individual; and

(D) The individual’s religious affiliation; and

(ii) Use or disclose for directory purposes such information:

(A) To members of the clergy; or

(B) Except for religious affiliation, to other persons who ask for the individual by name.

HIPAA also allows family members to be given information in order to locate an individual, and allows the sharing of protected health information directly relevant to the family members’ involvement with the individual’s health care or payment for such care.

(b) Standard: Uses and disclosures for involvement in the individual’s care and notification purposes

(1) Permitted uses and disclosures.

(i) A covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care.

(ii) A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death.

Finally, the facility could have simply asked Matthew if he agreed to allow the facility to notify his parents that he was being treated there. The Times account does not indicate whether the facility attempted to seek his consent, and it is possible that he was asked and refused.

The Office of Civil Rights (OCR) of the Department of Health and Human Services has addressed these concerns in a bulletin entitled HIPAA Helps Caregiving Connections –  HIPAA helps family and friends stay connected with loved ones who have a substance use disorder, including opioid abuse, or a mental or behavioral health condition:

If a family member, friend, or person you are caring for, has a mental health condition, substance use disorder (including opioid abuse), or other health problem, it can be difficult to stay connected if their condition worsens and they enter a health care facility for observation or treatment. HIPAA helps by allowing the health and mental health providers who treat your loved one to make decisions about communicating with his or her family and friends based on their professional judgment about what is best for the patient.

For Notification Purposes: HIPAA helps you stay connected with your loved one by permitting health professionals to contact you with information related to your family member, friend, or the person you are caring for, that is necessary and relevant to your involvement with the patient’s health care or payment for care. For example, if your loved one becomes disoriented, delirious, or unaware of their surroundings, due, for example, to opioid abuse or a mental health crisis, and arrives at a hospital emergency room for treatment, the doctors, nurses, and social workers may notify you of the patient’s location  and general condition. First, the staff will determine whether the patient agrees to share this information with you or if you are the patient’s personal representative.

If the patient is not able to make decisions (for example, due to being unconscious, sedated, severely intoxicated, or disoriented), then the doctors, nurses, and social workers may contact you without the patient’s permission when they determine that doing so is in the patient’s best interests.

To Help the Patient: HIPAA helps you to assist your loved one by permitting doctors, nurses, and social workers to share protected health information that is related to the care and assistance you are providing to your loved one. For example, if your adult son has been prescribed medication to treat anxiety, and you are helping him by providing supervision or housing, the discharge nurse may inform you what medication he will be taking, if he doesn’t object to sharing this information with you–as well as the side effects to watch for, or symptoms that indicate the medication isn’t working or isn’t being taken properly. If your son is unable to make health decisions independently, the nurse may decide to share this information with you if the nurse determines, using professional judgment, that it is in your son’s best interests.

See also Elizabeth Litten’s post following the Florida nightclub shootings in 2016:  Reflections on HIPAA Protections and Permissions in the Wake of the Orlando Tragedy

Some facilities tend to err on the side of caution when they are uncertain whether they are permitted to release information.  In addition, to the extent a state law affords greater privacy protections than those afforded under HIPAA, the state law protections will control.  However, erring on the side of caution when no HIPAA restriction applies and no other law affords greater privacy protections may actually exacerbate problems for the individual, particularly in the context of mental health.

 

 

Our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the April 2017 issue of Medical Practice Compliance Alert entitled “Business associates who farm out work create more risks for your patients’ PHI.” Full text can be found in the April, 2017 issue, but a synopsis is below.

In her article Marla cautioned, “Fully one-third of the settlements inked in 2016 with OCR [the Office of Civil Rights of the U.S. Department of Health and Human Services] dealt with breaches involving business associates.” She pointed out that the telecommuting practices of business associates (“BAs”) and their employees with respect to protected health information (“PHI”) create heightened risks for medical practices that are the covered entities (“CEs”) — CEs are ultimately responsible not only for their own HIPAA breaches but for HIPAA breaches of their BAs as well.

Kline observed, “Telecommuting is on the rise and this trend carries over to organizations that provide services to health care providers, such as billing and coding, telehealth providers, IT support and law firms.” Litten commented, “Most business associate agreements (BAAs) merely say that the business associate will protect the infor­mation but are not specific about how a business associate will do so, let alone how it will when PHI is off site.”

Litten and Kline added, “OCR’s sample business associate agreement is no dif­ferent, using general language that the business associate will use ‘appropriate safeguards’ and will ensure that its subcontractors do so too.”

Kline continued, “You have much less control over [these] people, who you don’t even know . . . . Moreover, frequently practices don’t even know that the business associate is allowing staff or subcontractors to take patient PHI off site. This is a collateral issue that can become the fulcrum of the relationship. And one loss can be a disaster.”

Some conclusions that can be drawn from Marla’s article include the following items which a CE should consider doing  when dealing with BAs:

  1. Select BAs with due care and with references where possible.
  2. Be certain that there is an effective BAA executed and in place with a BA before transmitting any PHI.
  3. Periodically review and update BAAs to ensure that they address changes in technology such as telecommuting, mobile device expansion and PHI use and maintenance practices.
  4. Ask questions of BAs to know where they and their employees use and maintain PHI, such as on laptops, personal mobile devices or network servers, and what encryption or other security practices are in place.
  5. Ask BAs what subcontractors (“SCs”) they may use and where the BAs and SCs are located (consider including a provision in BAAs that requires BAs and their SCs to be legally subject to the jurisdiction of HIPAA, so that HIPAA compliance by the CE and enforcement of the BAA can be more effective).
  6. Transmit PHI to the BA using appropriate security and privacy procedures, such as encryption.
  7. To the extent practicable, alert the BA in advance as to when and how transmission of PHI will take place.
  8. Obtain from each BAA a copy of its HIPAA policies and procedures.
  9. Maintain a readily accessible archive of all BAAs in effect to allow quick access and review when PHI issues arise.
  10. Have a HIPAA consultant available who can be contacted promptly to assist in addressing BA issues and provide education as to best practices.
  11. Document all actions taken to reduce risk from sharing PHI with BAs, including items 1 to 10 above.

Minimizing risk of PHI breaches by a CE requires exercising appropriate control over selection of, and contracting and ongoing interaction with, a BA. While there can be no assurance that such care will avoid HIPAA breaches for the CE, evidence of such responsible activity can reduce liability and penalties should violations occur.

As she has done in January for several years, our good friend Marla Durben Hirsch quoted my partner Elizabeth Litten and me in Medical Practice Compliance Alert in her article entitled “MIPS, OSHA, other compliance trends likely to affect you in 2017.” For her article, Marla asked various health law professionals to make predictions on diverse healthcare matters including HIPAA and enforcement activities. Full text can be found in the January 2017 issue, but excerpts are included below.

Marla also wrote a companion article in the January 2017 issue evaluating the results of predictions she published for 2016. The 2016 predictions appeared to be quite accurate in most respects. However, with the new Trump Administration, we are now embarking on very uncertain territory in multiple aspects of healthcare regulation and enforcement. Nevertheless, with some trepidation, below are some predictions for 2017 by Elizabeth and me taken from Marla’s article.

  1. The Federal Trade Commission’s encroachment into privacy and security will come into question. Litten said, “The new administration, intent on reducing the federal government’s size and interference with businesses, may want to curb this expansion of authority and activity. Other agencies’ wings may be clipped.” Kline added, “However, the other agencies may try to push back because they have bulked up to handle this increased enforcement.”
  2. Telemedicine will run into compliance issues. As telemedicine becomes more common, more legal problems will occur. “For instance, the privacy and the security of the information stored and transmitted will be questioned,” says Litten. “There will also be heightened concern of how clinicians who engage in telemedicine are being regulated,” adds Kline.
  3. The risks relating to the Internet of things will increase. “The proliferation of cyberattacks from hacking, ransomware and denial of service schemes will not abate in 2017, especially with the increase of devices that access the Internet, known as the ‘Internet of things,’ warns Kline. “More devices than ever will be networked, but providers may not protect them as well as they do other electronics and may not even realize that some of them —such as newer HVAC systems, ‘smart’ televisions or security cameras that can be controlled remotely — are also on the Internet and thus vulnerable,” adds Litten. “Those more vulnerable items will then be used to infiltrate providers’ other systems,” Kline observes.
  4. More free enterprise may create opportunities for providers. “For example, there may not be as much of a commitment to examine mergers,” says Kline. “The government may allow more gathering and selling of data in favor of business interests over privacy and security concerns,” says Litten.

The ambitious and multi-faceted foray by the Trump Administration into the world of healthcare among its many initiatives will make 2017 an interesting and controversial year. Predictions are always uncertain, but 2017 brings new and daunting risks to the prognosticators.  Nonetheless, when we look back at 2017, perhaps we may be saying, “The more things change, the more they stay the same.”

U.S. Representative Tim Murphy (R-PA) has been a vocal advocate for mental health reform for a number of years.  Part of his crusade is driven by his concern that the HIPAA privacy rule “routinely interferes with the timely and continuous flow of health information between health care providers, patients, and families, thereby impeding patient care, and in some cases, public safety.”  Congressman Murphy’s efforts have resulted in the inclusion in the recently-passed 21st Century Cures Act of a provision entitled “Compassionate Communications on HIPAA” targeted at improving understanding of what mental health information can be shared with family members and caregivers.

The 21st Century Cures Act streamlines the drug approval process, authorizes $4.8 billion in new health research funding, including $1.8 billion for Vice President Joe Biden’s “cancer moonshot” and $1.6 billion for brain diseases such as Alzheimer’s, and provides grants to combat the opioid epidemic.

Of most interest to readers of this blog, the Act also calls for the Department of Health and Human Services (HHS) to clarify the situations in which HIPAA permits health care professionals to communicate with caregivers of adults with a serious mental illness to facilitate treatment.  By December 13, 2017, the Secretary of HHS is required to issue guidance  regarding when such disclosures would require the patient’s consent; when the patient must be given an opportunity to object; when disclosures may be made based on the exercise of professional judgment regarding whether the patient would object when consent may not be obtained due to incapacity or emergency; and when disclosures may be made in the best interest of the patient when the patient is not present or is incapacitated.   HHS is directed to address communications to family members or other individuals involved in the care of the patient, including facilitating treatment and medication adherence.  Guidance is also required regarding communications when a patient presents a serious and imminent threat of harm to self or others.  HHS is directed to develop model training materials for healthcare providers, patients and their families.

The law incorporates the Substance Abuse and Mental Health Administration’s definition of the term “serious mental illness” as “a diagnosable mental, behavioral, or emotional disorder that results in serious functional impairment and substantially interferes with or limits one or more major life activities.”

Importantly, the law neither changes existing regulatory exceptions under HIPAA nor directs HHS to modify them.  Instead, it calls for further explanation of existing rules that are often poorly understood by providers, patients and caregivers alike or may actually be used inappropriately to thwart the flow of meaningful and helpful information leading to barriers to effective communication that would benefit patients and improve mental health outcomes.

An existing public safety exception permits a covered entity to use or disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and the disclosure is made to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

The existing exception for caregivers permits disclosures to a family member, other relatives, or a close personal friend of the individual, or any other person identified by the individual, but only regarding PHI that is directly relevant to such person’s involvement with the individual’s health care or payment for care.

PHI may also be disclosed when the patient is present and provides consent, does not object to a disclosure of PHI to another individual accompanying them when given the opportunity to object, or where the covered entity reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure.

Other existing exceptions address emergency situations as well as cases where the patient is incapacitated, and permit disclosure of only the PHI that is directly relevant to the other person’s involvement with the patient’s care or payment.

The new law falls short of Rep. Murphy’s previous legislative proposals.  In 2015, Murphy introduced a bill entitled the Helping Families In Mental Health Crisis Act. which he said would “allow the doctor or mental health professional to provide the diagnosis, treatment plans, appointment scheduling, and prescription information to the family member and known caregiver for a patient with a serious mental illness. This change would apply for those who can benefit from care yet are unable to follow through on their own self-directed care.”   This bill was passed by the House by a wide margin but was not enacted.

While the new law does not expand HIPAA exceptions, it does make it more likely that those exceptions already on the books will be more clearly understood and implemented in cases involving serious mental illness.

Federal enforcement agencies are increasingly focusing on HIPAA breaches which involve mishandling of PHI by telecommuters.  Two recent cases illustrate the liability exposure resulting from inadequate oversight of staff working remotely.

Medical equipment supplier Lincare was fined $239,800 as a result of a breach which occurred when an employee left unprotected PHI in a car in the possession of her estranged husband.  An Administrative Law Judge upheld the penalty, noting that Lincare did not have policies in place requiring employees to safeguard medical information off-site.

In a second case, Cancer Care Group, an Indianapolis radiation oncology practice (CCG), entered into a $750,000 settlement with OCR after unencrypted backup tapes containing the PHI of more than 50,000 patients were stolen from a telecommuting employee’s vehicle.  OCR required the group to enter into a Corrective Action Plan that included conducting a risk analysis and developing and implementing policies and procedures to prevent similar occurrences.

My partners Michael Kline and Elizabeth Litten were quoted in the November issue of Medical Practice Compliance Alert by Marla Durben Hirsch in her article entitled “Call it telecommuting or working remotely, it needs a HIPAA policy.”

It is increasingly common for employers, including health care providers, to allow staff to work off site on a full- or part-time basis. While it’s most commonly seen as working from home, it includes anywhere but the office, including on a train, in a coffee shop, while traveling from patient to patient or elsewhere, points out attorney Michael Kline with Fox Rothschild in Princeton, N.J.

But it increases the risk of HIPAA violations because the practice is no longer in control of some of the technical and physical safeguards required by HIPAA’s security rule to protect the PHI, points out attorney Elizabeth Litten, also with Fox Rothschild.

“There are more opportunities for things to go wrong,” Litten warns.

Among the tips suggested in the article are the following:

  1. Have clear policies about what practices are accepted and how workers will protect the data;
  2. Determine what hardware and software will be allowed and how it must be configured;
  3. Make sure that the PHI can be password-protected, encrypted or otherwise segregated if the employee does not have a dedicated computer, so that family members who have access to the computer can’t view the PHI. “You don’t want it accessed by little children who want to look at Bubble Guppies,” says Kline.
  4. Double check that your insurance policies allow telecommuting;
  5. Include PHI off the premises as part of your practice’s overall risk assessments and management;
  6. Incorporate protection of PHI into your practice’s telecommuting policy;
  7. Get the promise to protect PHI in writing; and
  8. Monitor how telecommuters handle PHI.

Failure to design and implement effective telecommuting policies and procedures contributed to the breaches at Lincare and CCG and may have substantially increased the magnitude of the financial penalties.  Ideally, covered entities and business associates should anticipate issues with telecommuters and roll out appropriate rules before any PHI leaves the office, but if you already have team members working remotely, it is better to address these risks late than never.

 

 

 

Are strangers wandering around your health care facility with their noses buried in their smartphones? And if so, what should you do about it? They’re playing Pokémon GO, a location-based augmented reality mobile game that was released for iOS and Android devices on July 6, 2016. Its popularity exceeded all expectations (my kids are probably playing it right now).

The game’s objective requires players to search in real-world locations for icons that appear on a GPS-like virtual map. The icons may represent PokéStops where players may find and capture Pokémon (“pocket monster” characters) that appear on the player’s phone superimposed over images of the real-world location when in augmented reality (AR) mode, and “Gyms” where they can virtually battle other players. Niantic, Inc., a Google spinoff, developed the game and based its PokéStops and Gyms on user-contributed locations (“portals”) from its previous augmented reality game, Ingress. These sites include businesses, parks, public buildings, museums, churches, private homes, and yes, even hospitals.

When players encounter Pokémon, they can take screen shots using their phone’s camera, which in AR mode will also capture whatever is in the background at the time. Naturally, this is giving hospitals and other healthcare facilities some concerns about safety, privacy, and maintaining a peaceful healing environment.  Indeed, in extreme cases of “invasion by Pokémon GO players,” the law of tort or criminal trespass could possibly be invoked by a health care facility in many jurisdictions. Simply stated, the action of trespass can be maintained against anyone who interferes with the right of ownership or possession of land, whether the invasion is by a person or by something that a person has set in motion. However, such an action would undoubtedly create a media sensation and must be carefully considered before undertaking it

The game has already made headlines for contributing to incidents where deeply-absorbed players have been injured by following their phones into the path of danger. The Advisory Board reports that the game has directed players near a hospital’s helipad Amid ‘Pokémon Go’ craze, hospitals say game players could jeopardize patient safety. Healthcare Business and Technology reports “The sheer amount of unauthorized visitors has raised safety concerns about everything from security issues to increased germ exposure that heightens patients’ risk of infections.” Pokemon Go causes problems for hospitals: How to respond.

Ban it? Embrace it?

Accordingly, some hospitals have asked players to avoid their campuses or banned the game outright. Others have forbidden their staffs from playing the game while on site, according to Healthcare IT News. The game appeals to a surprisingly wide age group since many adults have fond memories of playing the original Nintendo game in the mid-1990’s.

For HIPAA purposes, the use of smartphone cameras in the game can be problematic. At a recent meeting of the Healthcare Council of Western Pennsylvania, compliance officers reported that they had discovered PokéStops in their facility near patient care areas where records were potentially visible. Hospitals certainly do not want to encourage or permit individuals to wander their halls who are not there to obtain care or visit patients they know.

Many hospitals have policies on use of cameras or camera phones on campus, and those policies should be reviewed and recirculated to staff as well as communicated to patients and visitors in light of the popularity of the game.

Some children’s hospitals, however, are big fans of the game and its ability to motivate hospitalized kids to be more physically active and socially interactive. USA Today reports:

In the past, young patients at C.S. Mott Children’s Hospital in Ann Arbor, Mich., shuffled down the hallways without speaking to each other, but now it’s not uncommon to see them stop and talk near a Pokémon Go hotspot.

Advocate Children’s hospital in Oak Lawn/Park Ridge, IL tweeted a photo of a young patient playing the game with the caption “Luke’s mom says @Pokemon Go has been a lifesaver to get him out of his hospital room and moving around!” We hope they had Luke’s mom’s permission for the tweet. Toronto’s Sunnybrook Hospital tweeted : “We love that #PokemonGO encourages exercise! Remember: stay alert & safe. Can’t catch ’em all from a hospital bed.” Of course HIPAA is not an issue in Canada, but there is Ontario’s Personal Health Information Protection Act (PHIPA). And a meme is circulating featuring an anime-style nurse which reads “

Hey Pokémon Go players. Have extra lures? Then drive to your nearest Children’s Hospital and drop the lure there. There are plenty of kids who would love to go out and collect Pokémon, but they are stuck in bed, so this will help them.”

(Lures are markers players can collect and distribute within the game that help attract Pokémon).

Wipe yourself off the map?

Hospitals are not the only unwilling hosts of PokéStops and Gyms. The Holocaust Museum and Arlington National Cemetery are among locations that are included in the game’s map. As a result of objections, Niantic has set up a link to a form on its web site through which you can request removal of a PokéStop or Gym. It is not clear how long it will take for the company to remove an unwelcome site.

It’s common these days for technology to outpace policy, but it’s a good idea to understand this sudden craze and decide how to approach it in your organization.

Our partner Elizabeth Litten and I were featured again by our good friend Marla Durben Hirsch in her article in the April 2016 issue of Medical Practice Compliance Alert entitled “5 safeguards to take with patient-employee health records.” Full text can be found in the April, 2016 issue, but a synopsis is below.

For her article, Marla asked us to comment about physician medical practices that provide medical treatment to their own employees and other staff or affiliates (collectively, “Patient-Employees”). She observed that “These medical records [of Patient-Employees] are not fair game for colleagues to view unless there’s a job-related reason for them to do so.”

Marla quoted Kline as saying that “It’s human nature to talk about others [that you know]. You also have rogue employees who are ‘frenemies’ [Or simply curious about a co-worker’s treatment].” Nonetheless, as Marla observed, events of improper access are not just potential HIPAA violations; they can also have a negative impact on the workplace.

Our five tips for reducing the risks of improper breaches of Patient-Employees’ health information that were developed with Marla follow:

Litten: Include employee privacy in your HIPAA education. “This is a topic for specific training.” For example, make sure that everyone in the office knows the practice’s HIPAA policies and procedures, and that all patients, even those who are employees are entitled to their privacy rights. Emphasize the fact that employees should only review records when it is necessary to do their job.

Kline: Limit access to the records. “For instance, not all employees need unfettered access to electronic medical records, so different staff members can have different levels of access.    Human resources shouldn’t be able to find out that an employee came in for [medical] help.”

Litten and Kline: Take consistent disciplinary action when warranted. An employee may need to be retrained, disciplined or even fired, and treat all workforce members the same, whether licensed professionals or other staff.

Litten: Require staff to report these kinds of breaches. “At the least the practice can argue that the employee had an obligation to report, and by not doing so the fault lay with the employee, not the employer.”

Litten and Kline: Don’t let Patient-Employees take shortcuts to access their records. All patients are entitled to access their records; Patient-Employees should be required to go through the same procedures to access their records as any non-Patient-Employee.

In this ever more-challenging environment of compliance with the privacy and security requirements of HIPAA (and other applicable federal and state laws), a health care provider should limit the risks appurtenant to providing treatment to its own employees as patients, especially since it may be an economical and efficient alternative. There are enough external risks lurking about. Through establishing discrete policies and procedures, a provider can do much to control its internal risks involving Patient-Employees.

President Obama announced a series of Executive Orders on January 4, 2016 to address gun-related violence in America. Among those orders was an initiative to increase mental health reporting to the background check system. But this does not mean that mental health records will be widely released or that anyone who has sought treatment for mental illness will be banned from gun ownership.  It only means that information about individuals who are already prevented from owning guns under current law will be made available for background checks.

A fact sheet released by the administration includes this summary:

Remove unnecessary legal barriers preventing States from reporting relevant information to the background check system. Although States generally report criminal history information to [the National Instant Criminal Background Check System, (NICS)], many continue to report little information about individuals who are prohibited by Federal law from possessing or receiving a gun for specific mental health reasons. Some State officials raised concerns about whether such reporting would be precluded by the Privacy Rule issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Today, the Department of Health and Human Services issued a final rule expressly permitting certain HIPAA covered entities to provide to the NICS limited demographic and other necessary information about these individuals.

A Final Rule was posted by the Office of Civil Rights of the Department Health and Human Services (OCR) at https://federalregister.gov/a/2015-33181.  In an announcement posted by OCR, the agency emphasized that this rule is narrowly drawn and applies only to a limited category of covered entities:

The new modification is carefully and narrowly tailored to preserve the patient-provider relationship and ensure that individuals are not discouraged from seeking voluntary treatment. This rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having firearms or are designated by their States to report this information to NICS – and it allows such entities to report only limited identifying, non-clinical information to the NICS.

The rule does not apply to most treating providers and does not allow reporting of diagnostic, clinical, or other mental health treatment information. [emphasis added]

OCR emphasizes that individuals who seek help for mental health conditions and/or receives mental health services are not automatically legally prohibited from having a firearm, and that nothing in the final rule changes that.

The rule only applies to state agencies or other agencies that are designated by the state to report, or which collects information for purposes of reporting, on behalf of the state, to the NICS; or a court, board, commission, or other lawful authority that makes the commitment or adjudication that causes an individual to lose the right to possess firearms under existing federal law.  It authorizes such agencies to disclose the information only to NICS or an entity designated by the state to report, or which collects information for purposes of reporting, on behalf of the State, to NICS, and permits disclosure of only such limited demographic and certain other information needed for purposes of NICS reporting.  It expressly prohibits disclosure of diagnostic or clinical information for such purposes.

In light of the heightened emotions surrounding any government action relating to firearms, especially as it may involve mental health and HIPAA, it is likely that misunderstandings, exaggerations, misinformation (or even intentional disinformation)  about this limited change will circulate through social media and similar channels.  Healthcare providers and other covered entities should be aware that the rule changes nothing except for certain state agencies and their agents.

 

 

A thoughtful reader responded to our last post, Debunking a Viral “Medical Hack” Meme,  which advised health plan subscribers to cite certain HIPAA compliance issues in efforts to overturn unfavorable insurance coverage decisions.

Jeff Knapp wrote:

This meme just popped up in my Facebook news feed this morning, and I was happy to see you addressed it so quickly. I too immediately noticed several flaws. In addition to the ones you noted here, there is certainly no right under HIPAA for an individual to speak with a covered entity’s privacy officer. While it’s true that a covered entity must designate a contact person or office, in my experience the contact person/office and the privacy officer are not the same. Typically, a privacy officer is dealing with higher-level issues than responding to requests for documents. I always enjoy reading your blog posts.

Mr. Knapp accurately notes that there is no right to contact a privacy officer, and in fact, HIPAA provides no private right of action for an individual whose protected health information was improperly accessed.  See Why Can’t I Sue Under HIPAA for a Breach of my Protected Health Information? What Can I Do?

Moreover, if the individual disputing a coverage decision is covered by a self-insured plan sponsored by his or her employer, the strategy advocated by the meme could easily backfire, notwithstanding any separation of insurance administration and human resources functions within an employer’s management structure, whether nominal or reasonable.