This is the seventh interview in a series that explores the crossroads of the Health Insurance Portability and Accountability Act (HIPAA) and digital media.
George Indest practices healthcare law in Florida and across the country. Mr. Indest’s comments don’t provide legal advice, but they do offer us some insight on how the Health Insurance Portability and Accountability Act (HIPAA) impacts digital media for fertility centers. I asked Mr. Indest about some of the more common mistakes that practices have made to lead to a HIPAA breach.
Indest: Very often, breaches are inadvertent disclosures of protected health information (PHI) to people who didn’t have authorization to view it. Unauthorized disclosures may even include the patient’s immediate family members. Unless the patient has signed a HIPAA authorization for their family members to be able to view their information, the provider cannot release those records. There are several inadvertent mistakes that lead to HIPAA breaches, often including unintended recipients of patient information. This can include sending or forwarding an e-mail to the wrong person, replying to all instead of to an individual, or sending a fax to a recipient whose number is only one digit different from the intended recipient.
What happens when a patient releases their own information on a blog, place page, or social media channel operated by the practice?
The patient is free to release whatever information they want. That in no way effects the practice or the covered entity. I know of no legal obligation to take down patient posts. If the channels are open to the public, it’s the patient’s right and decision to disclose that information. That’s not covered by HIPAA. But, if the channels are open to the public, the covered entity needs to make warnings available that the practice does not have control over who can see that information.
What are the implications when the practice responds to the patient? Does a general response disclose a patient-physician relationship?
I don’t think there’s any sort of violation at all in a response that doesn’t contain PHI. Social interactions take place between patients and physicians all the time. There’s no breach of anyone’s confidentiality unless medical information is discussed. With that said, I have read of breaches wherein a practice responded to a patient’s Better Business Bureau (BBB) complaint and disclosed some of their records to refute the complaint. This is an unauthorized disclosure of PHI and a clear HIPAA violation. The patient is free to release whatever information they want, but that doesn’t authorize the practice to do the same. Even if it is a positive review, where the practice wants to share or retweet information that the patient has already made public, it would be on the safe side to get HIPAA authorization.
What should healthcare providers be doing right now to ensure HIPAA compliance?
The Office of Civil Rights (OCR) and the Department of Health and Human Services (HHS) have indicated more HIPAA audits and investigations. There are more law suits and more complaints of breaches than ever before. Personnel need constant training. They need constant reminders of HIPAA risks. Go overboard in your risk assessment and risk management. There are plenty of plaintiff attorneys looking for suits and there are plenty of things that shouldn’t be occurring. Personnel not directly involved in a patient’s care should not be viewing that patient’s records, and it’s a risk that happens far too often. Education and training need to be provided on an ongoing basis.
George Indest is the principal of the Health Law Firm in Altamonte Springs, Florida. The Health Law Firm, concentrates in representing health care providers, exclusively. Their attorneys include those Board Certified in Health Law. If you would like to learn more from George’s legal expertise, you can contact him here.