Breaking Compliance News Blog

HIPAA reminder: Is your workforce changing?

Posted by Margaret Scavotto, JD, CHC on 5/19/20 10:44 AM

Many providers are seeing changes to their workforce during the pandemic. Hospitals are recruiting additional healthcare professionals; nursing homes are relying more heavily on agency staff as employees become ill or do not show up for work. CMS has changed rules, allowing expanded types of providers to order tests and perform other tasks. An increased number of students or volunteers are also being used.

With these workforce changes, HIPAA training must continue. The HIPAA privacy and security rule remain in place during the pandemic. OCR enforcement remains active. HIPAA requires providers to train their workforce on HIPAA requirements. Workforce means “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”  45 CFR 160.103

HIPAA training reminders:

  • Covered entities should routinely evaluate who is working on their behalf and determine who is included in their workforce (and needs training).
  • The Privacy Rule requires covered entities to train all workforce members on policies and procedures related to PHI, as necessary and appropriate for the workforce members to carry out their functions. 45 CFR 164.530(b)
  • The Security Rule requires covered entities to: “implement a security awareness and training program for all members of its workforce (including management)” 45 CFR 164.308(a)(5)
  • Workforce members should also be trained to recognize breaches, how to report them internally, and who to report them to.
  • All workforce member should be trained on appropriate social media use (this is especially important during a national emergency).

Read More

Topics: HIPAA, Social Media, security, breach notification, COVID-19, privacy

Using Social Media Safely During a Pandemic

Posted by Margaret Scavotto, JD, CHC on 5/14/20 9:20 AM

During a national public health emergency, healthcare providers will have many reasons to use social media. The community will likely turn to social media to learn what your organization is doing in response to COVID-19. Social media can be used to keep the public informed, ward off panic, advise patients and loved ones of new procedures or protocols, and show the public a strong response during the disaster. Social media is also being used to recruit staff, volunteers, and supplies.

Read More

Topics: Social Media, security, business associates, compliance, COVID-19, privacy

Breaking News: First social media HIPAA settlement!

Posted by Scott Gima on 10/8/19 7:15 AM


Whenever a settlement agreement is announced, the OCR is sending a message to all providers. On October 2nd, The OCR announced a $10,000 settlement agreement with Elite Dental Associates in Dallas Texas. At first glance, it is easy to overlook this settlement; $10,000 does not seem to be a big deal when there are other cases with fines in the millions of dollars. For example, Anthem paid a record $16 million following the PHI breach of close to 79 million people; the largest health data breach in history. So what is the big deal? Or more importantly, what are the lessons to be learned from this breach? There are several.

Read More

Topics: HIPAA, Social Media

Abuse by Smartphone

Posted by Margaret Scavotto, JD, CHC on 7/9/19 9:57 AM

Four nurse aides commit abuse with Facebook Live

The family of an Illinois nursing home resident who appeared in a caregiver’s Facebook Live video is suing the home. Four nursing aids allegedly participated in a video of the resident, who is a stroke survivor with dementia. The lawsuit asserts that the video shows the resident in bed, holding a diaper, surrounding by employees who are harassing him. One of the caretakers is heard yelling “Take off your pants, [resident name].”

This example poses HIPAA concerns and abuse concerns. Without a patient authorization, it is a potential HIPAA violation to record the resident and share that recording with third parties. In addition, CMS made it clear in its Survey & Certification Memo 16-33 that humiliating or demeaning photos or recordings of nursing home residents are mental abuse.

Snapchat use leads to criminal charges

Read More

Topics: HIPAA, Social Media, abuse

HIPAA breaches are everywhere: Are your employees prepared?

Posted by Margaret Scavotto, JD, CHC on 12/13/18 2:01 PM

A hospital OR secretary was fired after she accessed the hospital's EHR to locate a co-worker's phone number.

A child's adoptive parents sued a hospital for allegedly violating HIPAA when it notified the child's birth mother of his death.

Hospital employees clicked on links in emails that appeared to be from trusted sources, unleashing a spear phishing attack. Hackers accessed PHI for 63,000 individuals - some of whom are suing the hospital for failing to protect their privacy.

A patient is suing CVS for telling his wife about his Viagra prescription.

Some of you might read these (true) stories and view them as blatant, or at least ignorant, HIPAA violations. Or maybe you believe these are honest mistakes. I think it depends on whether, when, and how the healthcare employees involved were trained on HIPAA in a practical way.

In the CVS example, we can imagine a pharmacist or pharmacy tech at the register and taking phone calls. This person talks to people all day long about prescriptions - often prescriptions dropped off or picked up by a spouse. When is the last time this pharmacist was trained on when to share information with a spouse (and when to keep it confidential)?

Regarding the spear phishing example, I received two phishing email attempts today, and it's only 2:00 p.m. I recognized the emails as phony - but my day job involves HIPAA, and I read about HIPAA for fun. It's always on my mind. Would healthcare employees who spend their days scheduling patients, sending out EOBs, or providing care recognize suspicious emails? It depends on how well they have been trained, and how often.

HIPAA, like the rest of compliance, is not simply something for the lawyers or the compliance department to figure out.

Our compliance programs are only as strong as our weakest employees - and it's up to us to train them to get it right.




Read More

Topics: HIPAA, Social Media, data breach, security

Social Media Snafus: Keep Your Staff HIPAA Compliant

Posted by Margaret Scavotto, JD, CHC on 10/18/18 6:59 AM

An EMS worker gave CPR to a man who suffered a heart attack in his chicken coop. The EMS worker later posted on Facebook: "Well, we had a first... We worked a code in a chicken coop. Knee deep in chicken droppings."

A medical student who helped deliver a baby posted to Instagram a selfie of himself next to the mother's genitals.

A hospital employee appeared in a photo flipping off a newborn baby, with the caption: "How I currently feel about these mini Satans." The photo was shared 185,000 times on Facebook.

A pediatric ICU/ER nurse discussed a child's measles diagnosis on a Facebook page, before the measles case was announced to the public.

What do these stories have in common?

They're true. They involve disrespect to patients. They potentially violate HIPAA. They likely caused their organizations' privacy officers to pour hours into analyzing whether patients needed to be notified of a breach of HIPAA or other privacy laws. And, they made news headlines, creating a sizable PR problem for each provider involved.

Would your employees do this?

Your employees have Facebook, Instagram, Snapchat and Twitter accounts. They text. How many times do you think your employees text and post to social media every day? 

How often do you train staff on how to use social media without violating HIPAA (or disrespecting patients)? Once a year? Is your training frequent, helpful - and memorable - enough to ensure your employees get this right?

Help your employees use social media appropriately.

  • Implement a social media policy.
  • Train employees to recognize PHI.
  • Use examples. Help your team understand how seemingly innocent posts can violate HIPAA.
  • Train some more! Keep HIPAA and social media top of mind.
  • Encourage staff to report violations of the policy. This will allow you to research potential breaches and mitigate them swiftly.

Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't--than to cover our eyes and wait to hear it from the patients (or the media).

New Call-to-action

Read More

Topics: HIPAA, Social Media

Social Media Snafus May Lead to Policy Changes, Creative Training

Posted by Margaret Scavotto, JD, CHC on 3/15/18 6:22 AM

This month, HCCA's Report on Medicare Compliance published an article featuring Margaret Scavotto's comments on the HIPAA risks of social media for healthcare providers:

Read More

Topics: HIPAA, Social Media

Tweet, tweet: Resident abuse takes a new – and dangerous—form

Posted by Margaret Scavotto, JD, CHC on 8/16/16 3:14 PM

CMS recently issued guidance to its state surveyors, explaining that nursing home resident abuse occurs when staff take pictures or recordings “in a way that would demean or humiliate a resident(s).”

That’s just common sense: Nobody should have their picture or video taken when they are in a nursing home, and perhaps asleep, or in a compromising position. I doubt anyone would argue with CMS’ position that such unauthorized images constitute mental abuse when they are demeaning or humiliating. And yet, any provider who has attempted any degree of social media compliance knows this is a real problem.

Nursing homes and other providers are already climbing the seemingly insurmountable mountain of social-media-posts-turned-HIPAA-violations. Our increasingly younger workforce is walking the halls with 683 (or more, if you use Facebook more than I do) Facebook friends in their back pocket. Or waiting in their locker. Or their car. Many of these people are walking your halls thinking: “What can I share about my day tonight? What will get the most ‘Likes’? What will really put me at the top of the Newsfeed?” Social media posts and texts ranging from innocent to malicious have tied many Compliance and Privacy Officers up in hours-long breach investigations. Now, every tweet, post, text and snap involving a nursing home resident also needs to be treated as a potential abuse allegation.

Starting in September 2016, CMS surveyors will review every nursing home’s policies, to see if they “prohibit staff from taking, keeping and/or distributing photographs and recordings that demean or humiliate a resident(s).” CMS outlines the steps nursing homes must take in order to do well on this survey – and meet expectations for preventing this type of mental abuse:

  • Implement policies and procedures prohibiting abuse. These policies need to address mental abuse arising from demeaning or humiliating pictures or recordings.
  • Train staff on mental abuse arising from these pictures or recordings.
  • Take training one step further and “provide ongoing oversight and supervision of staff in order to assure that these policies are implemented as written.”
  • Treat these incidents of mental abuse as any other abuse allegation: with investigation and reporting.

A policy and training are crucial – and required by CMS – but they won’t be enough. Social media compliance requires a culture campaign. Social media is top-of-mind and omnipresent for your staff. So must be your efforts to motivate staff to use social media wisely. Has your organization launched a social media compliance campaign? Do your staff understand that posting or texting pictures of patients can result in license discipline? Jail time? How often do your staff receive reminders about appropriate social media use? Often enough to be as memorable as that next Facebook post opportunity? Make social media part of the compliance conversation, and you will help your staff use social media wisely, and convert social media from a liability to an asset.

New Call-to-action

Read More

Topics: Social Media

Are your employees tweeting their way to a HIPAA violation?

Posted by Margaret Scavotto, JD, CHC on 3/2/14 3:25 AM

Like it or not, social media use in the workplace is inevitable. A report by SilkRoad Technology found that 75% of employees check personal social media at least once a day on their mobile devices during working hours, and 60% access it multiple times.

Read More

Topics: HIPAA, Social Media

HIPAA penalties & social media: Do you trust your employees?

Posted by Margaret Scavotto, JD, CHC on 9/12/12 12:00 PM

It's no secret that the HIPAA hammer is here to stay. The HITECH Act of 2009 increased HIPAA penalties, and the Federal government has been doling them out liberally. As the use of social media expands, health care providers and their employees need to consider the consequences of posting information that could identify a patient. These consequences include penalties under HIPAA, privacy laws and even criminal laws...and making the headlines.

Read More

Topics: Penalties and Enforcement, HIPAA, Social Media

    Privacy Policy           Terms of Use