Breaking Compliance News Blog

Free Webinar: Most Questionable Healthcare Social Media Posts of 2020

Posted by Margaret Scavotto, JD, CHC on 1/13/21 12:29 PM

Start 2021 off strong with the next TWO webinars in MPA's Free Compliance Webinar Series!


Read More

Topics: Training and Education, HIPAA, Social Media, compliance

Free Webinar: Compliance New Year's Resolutions for SNFs

Posted by Margaret Scavotto, JD, CHC on 1/11/21 10:30 AM

Start 2021 off strong with the next TWO webinars in MPA's Free Compliance Webinar Series!


Read More

Topics: Training and Education, HIPAA, Social Media, compliance

Free Webinar: Most Questionable Healthcare Social Media Posts of 2020

Posted by Margaret Scavotto, JD, CHC on 1/7/21 9:15 AM

Start 2021 off strong with the next TWO webinars in MPA's Free Compliance Webinar Series!


Read More

Topics: Training and Education, HIPAA, Social Media, compliance

HIPAA reminder: Is your workforce changing?

Posted by Margaret Scavotto, JD, CHC on 5/19/20 10:44 AM

Many providers are seeing changes to their workforce during the pandemic. Hospitals are recruiting additional healthcare professionals; nursing homes are relying more heavily on agency staff as employees become ill or do not show up for work. CMS has changed rules, allowing expanded types of providers to order tests and perform other tasks. An increased number of students or volunteers are also being used.

With these workforce changes, HIPAA training must continue. The HIPAA privacy and security rule remain in place during the pandemic. OCR enforcement remains active. HIPAA requires providers to train their workforce on HIPAA requirements. Workforce means “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.”  45 CFR 160.103

HIPAA training reminders:

  • Covered entities should routinely evaluate who is working on their behalf and determine who is included in their workforce (and needs training).
  • The Privacy Rule requires covered entities to train all workforce members on policies and procedures related to PHI, as necessary and appropriate for the workforce members to carry out their functions. 45 CFR 164.530(b)
  • The Security Rule requires covered entities to: “implement a security awareness and training program for all members of its workforce (including management)” 45 CFR 164.308(a)(5)
  • Workforce members should also be trained to recognize breaches, how to report them internally, and who to report them to.
  • All workforce member should be trained on appropriate social media use (this is especially important during a national emergency).

Read More

Topics: HIPAA, Social Media, security, breach notification, COVID-19, privacy

Using Social Media Safely During a Pandemic

Posted by Margaret Scavotto, JD, CHC on 5/14/20 9:20 AM

During a national public health emergency, healthcare providers will have many reasons to use social media. The community will likely turn to social media to learn what your organization is doing in response to COVID-19. Social media can be used to keep the public informed, ward off panic, advise patients and loved ones of new procedures or protocols, and show the public a strong response during the disaster. Social media is also being used to recruit staff, volunteers, and supplies.

Read More

Topics: Social Media, security, business associates, compliance, COVID-19, privacy

Breaking News: First social media HIPAA settlement!

Posted by Scott Gima on 10/8/19 7:15 AM


Whenever a settlement agreement is announced, the OCR is sending a message to all providers. On October 2nd, The OCR announced a $10,000 settlement agreement with Elite Dental Associates in Dallas Texas. At first glance, it is easy to overlook this settlement; $10,000 does not seem to be a big deal when there are other cases with fines in the millions of dollars. For example, Anthem paid a record $16 million following the PHI breach of close to 79 million people; the largest health data breach in history. So what is the big deal? Or more importantly, what are the lessons to be learned from this breach? There are several.

Read More

Topics: HIPAA, Social Media

Abuse by Smartphone

Posted by Margaret Scavotto, JD, CHC on 7/9/19 9:57 AM

Four nurse aides commit abuse with Facebook Live

The family of an Illinois nursing home resident who appeared in a caregiver’s Facebook Live video is suing the home. Four nursing aids allegedly participated in a video of the resident, who is a stroke survivor with dementia. The lawsuit asserts that the video shows the resident in bed, holding a diaper, surrounding by employees who are harassing him. One of the caretakers is heard yelling “Take off your pants, [resident name].”

This example poses HIPAA concerns and abuse concerns. Without a patient authorization, it is a potential HIPAA violation to record the resident and share that recording with third parties. In addition, CMS made it clear in its Survey & Certification Memo 16-33 that humiliating or demeaning photos or recordings of nursing home residents are mental abuse.

Snapchat use leads to criminal charges

Read More

Topics: HIPAA, Social Media, abuse

HIPAA breaches are everywhere: Are your employees prepared?

Posted by Margaret Scavotto, JD, CHC on 12/13/18 2:01 PM

A hospital OR secretary was fired after she accessed the hospital's EHR to locate a co-worker's phone number.

A child's adoptive parents sued a hospital for allegedly violating HIPAA when it notified the child's birth mother of his death.

Hospital employees clicked on links in emails that appeared to be from trusted sources, unleashing a spear phishing attack. Hackers accessed PHI for 63,000 individuals - some of whom are suing the hospital for failing to protect their privacy.

A patient is suing CVS for telling his wife about his Viagra prescription.

Some of you might read these (true) stories and view them as blatant, or at least ignorant, HIPAA violations. Or maybe you believe these are honest mistakes. I think it depends on whether, when, and how the healthcare employees involved were trained on HIPAA in a practical way.

In the CVS example, we can imagine a pharmacist or pharmacy tech at the register and taking phone calls. This person talks to people all day long about prescriptions - often prescriptions dropped off or picked up by a spouse. When is the last time this pharmacist was trained on when to share information with a spouse (and when to keep it confidential)?

Regarding the spear phishing example, I received two phishing email attempts today, and it's only 2:00 p.m. I recognized the emails as phony - but my day job involves HIPAA, and I read about HIPAA for fun. It's always on my mind. Would healthcare employees who spend their days scheduling patients, sending out EOBs, or providing care recognize suspicious emails? It depends on how well they have been trained, and how often.

HIPAA, like the rest of compliance, is not simply something for the lawyers or the compliance department to figure out.

Our compliance programs are only as strong as our weakest employees - and it's up to us to train them to get it right.




Read More

Topics: HIPAA, Social Media, data breach, security

Social Media Snafus: Keep Your Staff HIPAA Compliant

Posted by Margaret Scavotto, JD, CHC on 10/18/18 6:59 AM

An EMS worker gave CPR to a man who suffered a heart attack in his chicken coop. The EMS worker later posted on Facebook: "Well, we had a first... We worked a code in a chicken coop. Knee deep in chicken droppings."

A medical student who helped deliver a baby posted to Instagram a selfie of himself next to the mother's genitals.

A hospital employee appeared in a photo flipping off a newborn baby, with the caption: "How I currently feel about these mini Satans." The photo was shared 185,000 times on Facebook.

A pediatric ICU/ER nurse discussed a child's measles diagnosis on a Facebook page, before the measles case was announced to the public.

What do these stories have in common?

They're true. They involve disrespect to patients. They potentially violate HIPAA. They likely caused their organizations' privacy officers to pour hours into analyzing whether patients needed to be notified of a breach of HIPAA or other privacy laws. And, they made news headlines, creating a sizable PR problem for each provider involved.

Would your employees do this?

Your employees have Facebook, Instagram, Snapchat and Twitter accounts. They text. How many times do you think your employees text and post to social media every day? 

How often do you train staff on how to use social media without violating HIPAA (or disrespecting patients)? Once a year? Is your training frequent, helpful - and memorable - enough to ensure your employees get this right?

Help your employees use social media appropriately.

  • Implement a social media policy.
  • Train employees to recognize PHI.
  • Use examples. Help your team understand how seemingly innocent posts can violate HIPAA.
  • Train some more! Keep HIPAA and social media top of mind.
  • Encourage staff to report violations of the policy. This will allow you to research potential breaches and mitigate them swiftly.

Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't--than to cover our eyes and wait to hear it from the patients (or the media).

New Call-to-action

Read More

Topics: HIPAA, Social Media

Social Media Snafus May Lead to Policy Changes, Creative Training

Posted by Margaret Scavotto, JD, CHC on 3/15/18 6:22 AM

This month, HCCA's Report on Medicare Compliance published an article featuring Margaret Scavotto's comments on the HIPAA risks of social media for healthcare providers:

Read More

Topics: HIPAA, Social Media

    Privacy Policy           Terms of Use