In Canada (where privacy laws are similar to HIPAA), a man requested his surgery records, and soon received a package in the mail from the hospital. When he opened the package, however, he did not find his surgery records—he found another man’s autopsy.
Four nurse aides commit abuse with Facebook Live
The family of an Illinois nursing home resident who appeared in a caregiver’s Facebook Live video is suing the home. Four nursing aids allegedly participated in a video of the resident, who is a stroke survivor with dementia. The lawsuit asserts that the video shows the resident in bed, holding a diaper, surrounding by employees who are harassing him. One of the caretakers is heard yelling “Take off your pants, [resident name].”
This example poses HIPAA concerns and abuse concerns. Without a patient authorization, it is a potential HIPAA violation to record the resident and share that recording with third parties. In addition, CMS made it clear in its Survey & Certification Memo 16-33 that humiliating or demeaning photos or recordings of nursing home residents are mental abuse.
Snapchat use leads to criminal charges
In late 2018, the OCR entered an $111,400 settlement with Pagosa Springs Medical Center (PSMC), a Colorado critical access hospital. The OCR alleged that the hospital failed to terminate a former employee’s remote access to the hospital’s scheduling calendar, which includes patient PHI. The OCR also alleged that the hospital failed to enter a Business Associate Agreement with the scheduling calendar vendor.
An Arizona patient received a free sample for an erectile dysfunction (“ED”) medication from his doctor. Later, his pharmacy, Costco, called the patient to tell him that his full prescription was ready. The patient told Costco that he did not want the prescription and would not be picking it up.
One month later, the patient called Costco about another prescription. Costco again told the patient that his ED prescription was ready, and the patient again told Costco he did not want that prescription. The next day, the patient called Costco to give his ex-wife permission to pick up is prescription. The patient and his ex-wife were considering reconciling. A Costco employee gave the ex-wife the patient’s prescription – and the ED prescription, and joked with the ex-wife about the patient taking so long to pick it up. The ex-wife ended reconciliation attempts with the patient.
The patient sued Costco for negligence and other claims.
After ransomware took over Brookside ENT & Hearing Services’ EMR system, it decided to close its practice for good. The virus deleted and overwrote the medical practice’s medical records, bills and appointments—and the backups. The virus left behind duplicates, which the hacker promised to unlock in exchange for a $6,500 ransom. The two doctors who own the practice wisely refused to pay the ransom. Instead, they called the FBI.
Effective April 23, 2019, the Office of Civil Rights (OCR) has reduced the annual aggregate HIPAA penalty caps for covered entities and business associates.
A San Diego hospital is being sued for secretly video recording 1,800 patients while they received procedures in three labor and delivery operating rooms. Women were also recorded while undressing, and with their genitals exposed. The lawsuit alleges that the recorded women have suffered anxiety, humiliation, depression, and other harm.
The hospital installed motion-activated cameras on drug carts in the operating rooms, in order to investigate potential employee diversion of propofol from operating room drug carts. The cameras continued to record after the motion stopped. The lawsuit alleges that multiple users – including strangers and non-medical employees – could access the recordings on computers, and the hospital did not track who accessed the recordings.
While we don’t know exactly what procedures were followed in this example, some good HIPAA questions are raised for other providers considering using filming in similar circumstances.
From a HIPAA standpoint, a HIPAA authorization would be required for any such recording to be legally obtained. This story also raises concerns about how the recordings were stored and accessed, and whether access to the recordings was properly limited. And of course, before any new technology is used that will record and store ePHI, it should first be addressed in your HIPAA security risk analysis.
MPA's Compliance and HIPAA training handbooks for healthcare staff are here!
Help your staff get HIPAA right, all day, every day.
MPA noticed that most HIPAA training doesn't cover the top calls we get: snooping, selfies, social media, and other common breaches.
This HIPAA training handbook won't tell your staff that HIPAA was enacted in 1996 - because that won't help your staff make good HIPAA decisions on a daily basis. This handbook will, however, provide common sense HIPAA information your staff need to succeed in healthcare.
Each chapter is accompanied by a mini-quiz to test staff knowledge.
Help your staff get compliance right, all day, every day.
MPA noticed that most compliance training does not cover the daily risks most healthcare staff encounter - or is written in legalese that is challenging for many healthcare employees.
This training handbook won't tell your staff that OIG stands for "Office of Inspector General," because that isn't going to help most of your staff understand compliance. This handbook will break down compliance concepts in simple, understandable chapters to help them do their jobs in a way that follows your compliance program.
Each chapter is accompanied by a mini-quiz to test staff knowledge.
Last week, my husband and our five year old daughter took our dog to the vet for a check-up. When they came home, my five year old was very excited to tell me that she got to talk to Dr. Julie about Abby's tooth cleaning and Jack's nail trimming.
Abby and Jack are my mother's cats, who, in case it isn't obvious, also see Dr. Julie.
I was astounded! Until my husband reminded me: "There's no HIPAA for cats, Margaret."
That's right. Of course!
But this got me thinking. If Abby and Jack were people, we would have a pretty big problem on our hands. My mother lives four minutes away. So do my nephews. So do my aunt and uncle. There's some overlap in doctors and dentists in our family (in addition to veterinarians). We bump into each other all over town.
And yet, thanks to HIPAA, we all expect and trust that our medical information will be kept private. Can you imagine it any other way? Can you imagine the chaos that would ensue if everyone discussed everyone else's tooth cleanings and nail trimmings all over town, as if we were cats?
Aristotle said what separates humans from the animals is rationality. I think it's HIPAA, too.
CBS 2 (Chicago) reported that potentially 60 Northwestern Memorial Hospital employees were terminated for accessing Jussie Smollett's medical records, without authorization, during a hospital stay following a highly publicized assault.
One terminated Northwestern employee reported she was fired after she "went into the charting system and started to search [Smollett]'s name." The fired employee did this out of "morbid curiosity." Others were potentially terminated for asking if the actor was admitted to the hospital under an alias.
Northwestern has not commented on the alleged firings, and we do not know for sure whether the firings occurred; if so, how many firings occurred; and whether HIPAA was violated.
But we do know that all healthcare providers struggle with the challenge of unauthorized access of patient records (also known as snooping). It happens with celebrities, and other high profile patients: car accident victims, employee relatives and friends, co-workers, and hometown heroes.
What you can do:
- Admit high profile patients under an alias.
- Limit access with your EHR controls.
- Monitor access regularly. Increase monitoring when you have a high-profile patient.
- Use alerts to warn users and your compliance team when access is exceeded.
- Have your breach analysis policy and decision tree nearby for when access is exceeded.
- Train staff on the consequences of exceeding accesses. One "morbid curiosity" click could cost them their job.
Need help reminding your staff not to snoop medical records? HIPAA Every Day, MPA's HIPAA training handbook for healthcare employees, addresses snooping.