While the news is full of high-profile HIPAA breach cases and assessments of multi-million-dollar fines, smaller practices are not immune. They often succumb to the same types of error and bad judgment that affect larger providers. Fortunately, by following a few sensible guidelines, even smaller practices can safeguard themselves against the improper disclosure of protected health information (PHI) that leads to a HIPAA breach.
While advancing technology has changed the practice of medicine, technological advances have also necessitated new methods of protecting patient information. Experian reports that more than 27% of data breaches, including medical identity theft, were medical- or health care–related in 2017. Additionally, employees are involved in 71% of all cybersecurity incidents in health care—more than in any other industry—so your own employees may be your biggest risk of a HIPAA data breach. Likewise, smaller practices may have fewer cybersecurity training measures and protocols in place and so may be ideal targets for cyberattacks. Improving the protection of electronic data is essential for protecting patient privacy, but the cases below illustrate that it shouldn't be the sole focus.
High-Profile Cases Should Serve as a Warning to Smaller Practices
You may believe that high-profile cases are a world away from your medical practice. News accounts about suspected or confirmed HIPAA violations, however, reveal that similar breaches of confidentiality are just as likely to occur in small towns and small practices, though they may not make national news headlines. Consider the following examples.
Example #1: What Happens in the Practice Should Stay in the Practice
Celebrities become accustomed to being followed by the media and having personal information divulged, and that’s increasingly true with photo and video capability at everyone’s fingertips. When news is shared that includes medical and personally identifiable information, though, HIPAA infractions can occur.
High Profile Case
In 2015, Adam Schefter, a reporter and analyst for ESPN, shared images on social media of pro football player Jason Pierre-Paul’s medical records. Pierre-Paul had a finger amputated as a result of a fireworks accident. As one news outlet claimed, shortly after ESPN’s tweet, “the letters ‘HIPAA’ started trending” and the public began raising questions about the violation of Pierre-Paul’s privacy. Since Mr. Schefter is not a covered entity under the HIPAA law, though, he’s not subject to HIPAA penalties. However, if determined, the covered entity, business associates, and persons responsible for leaking the information could be held liable for any HIPAA violation.
Low Profile Case
Can an ordinary person be the subject of “newsworthy” public sharing of information similar to that experienced by celebrities? Consider this case of an EMS worker in rural Tennessee who responded to a call at an unusual location, and then commented about it on her Facebook page:
In June of 2017, a local man had a heart attack while working in his chicken coop, and the chicken coop was the subject of the EMS worker’s post. Despite the post’s not mentioning the patient’s name, his wife explained that in a small town, “Everybody knows where my husband died,” and she viewed the post as an invasion of her husband’s privacy at a tragic moment.
Example #2: Sharing Is Not Always Caring
Publicly sharing interesting or noteworthy happenings at a medical practice may seem harmless in the social media age, and it could benefit marketing, public relations, and community relations initiatives. However, sharing images or videos of patients without their explicit consent is a HIPAA violation. You and your staff may have good reason to want to share a photo or news about a patient—such as celebrating a recovery milestone—but explicit consent of the patient or the patient’s guardian is required.
High Profile Case
In 2016 and 2018, the HHS Office of Civil Rights (OCR) reached agreements with four hospitals totaling nearly $3.2 million to settle potential violations related to disclosure of PHI that occurred during filming of the ABC documentary series “Save My Life: Boston Trauma.” While Healthcare Dive reported that one hospital claims to have obtained patient permission, and that another two of the hospitals said that some of the patients were grateful for the chance to tell their story, it's possible that better documentation of consent could have prevented such large settlements.
Low Profile Case
Filming of a different sort raised red flags at Naval Hospital Jacksonville in 2017. Nurses videotaped newborns “dancing” to music and were making obscene gestures on the videos. The staff involved were not only guilty of HIPAA violations and removed from patient care, but they were also subject to military discipline. On the other end of the age spectrum, nursing home workers have also been sanctioned for HIPAA violations for sharing video recordings of elderly patients via social media.
Example #3: All the News Is Not Always Fit to Print
From news about a celebrity to news about a small-town catastrophe, staff at medical facilities have allowed their curiosity to supersede their obligation to keep patient information confidential. Disclosing patient information to persons other than those involved in direct care or those authorized to receive such information is not only a HIPAA violation, but can also result in unintended negative consequences.
High Profile Case
In 2008, staff at the UCLA Medical Center inappropriately divulged Brittany Spears’ medical information related to her inpatient psychiatric treatment. Many of the 6 physicians and 13 staff members who accessed Spears’ PHI had no valid reason to look at her information. Their violation of HIPAA provided fodder for the press, and did little to reassure patients across the nation that their personal information is secure.
Low Profile Case
In McAlester, Oklahoma, a town of just over 18,000 people, the adoptive parents of a toddler who drowned were surprised to learn that the local hospital had notified the boy’s biological mother who had terminated her parental rights. The parents also learned that multiple hospital staff—including a cafeteria worker—had accessed the boy’s medical chart. The inappropriate notification was not only a HIPAA violation, but also resulted in the adoptive parents receiving threats.
Best Practices for Maintaining Confidentiality of Patient Information
The pervasiveness of smartphones with video and photo capabilities—and social media networks to share them on—make it essential to regularly remind staff about HIPAA rules on patient privacy. Regular training emphasizing HIPAA privacy rules that support the dignity of patients can keep these values at the forefront of your practice.
To prevent improperly publicizing health information, consider these best practices:
- Provide annual clinician and staff training on PHI security policies and protocols.
- Ensure that clinicians and staff understand their responsibilities and roles in protecting PHI security, the various sensitivity levels of information, and how PHI should be accessed, stored, and transmitted.
- Require staff to sign confidentiality agreements that include acknowledgement of your practice’s social media policies.
- Enforce PHI security policies consistently among clinicians, staff, and administrators.
- HIPAA requires all covered entities to have sanction policies and procedures in place and to take action against workforce members who do not comply with them.
- Inform individuals working with PHI that accessing PHI for reasons not related to their job functions is a violation of state and federal privacy law.
- Consider using a pop-up box to warn users they are accessing PHI and remind them that doing so could be subject to audit or review.
- Limit clinician and staff access to the data they need to perform their job functions.
- Continually audit systems to discover improper access.
- Consider restricting smartphone use by staff in patient areas except when necessary for patient care or practice operations, and then only with patient consent.
- Always obtain the explicit written consent of a patient or the patient’s guardian before sharing any personal health information.
- Establish standard policies and forms for documenting patient or guardian consent to publicly share patient health information.
- When recording videos at your practice for non-clinical purposes (e.g., marketing or community outreach):
- Ensure that you have a signed consent form from every featured patient indicating their consent to participate.
- Before publishing any videos or photos, ensure that there are no patients in the background who have not indicated in writing their consent to participate.
Obligations Beyond HIPAA
Long before HIPAA laws were enacted, physicians were taking an oath to treat patients with dignity and respect. As Becker’s Hospital Review points out in their history of patient privacy, an early translation of the Hippocratic oath reads:
“What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.”
The very personal nature of the physician-patient relationship demands an ethical and respectful treatment of all patient information. Adhering to the highest ethical standards will help protect you and your practice from potential HIPAA or state law violations, civil suits, penalties, or fines resulting from improperly handling patient information.