Breaking Compliance News Blog

HIPAA breaches are everywhere: Are your employees prepared?

Posted by Margaret Scavotto, JD, CHC on 12/13/18 2:01 PM

A hospital OR secretary was fired after she accessed the hospital's EHR to locate a co-worker's phone number.

A child's adoptive parents sued a hospital for allegedly violating HIPAA when it notified the child's birth mother of his death.

Hospital employees clicked on links in emails that appeared to be from trusted sources, unleashing a spear phishing attack. Hackers accessed PHI for 63,000 individuals - some of whom are suing the hospital for failing to protect their privacy.

A patient is suing CVS for telling his wife about his Viagra prescription.

Some of you might read these (true) stories and view them as blatant, or at least ignorant, HIPAA violations. Or maybe you believe these are honest mistakes. I think it depends on whether, when, and how the healthcare employees involved were trained on HIPAA in a practical way.

In the CVS example, we can imagine a pharmacist or pharmacy tech at the register and taking phone calls. This person talks to people all day long about prescriptions - often prescriptions dropped off or picked up by a spouse. When is the last time this pharmacist was trained on when to share information with a spouse (and when to keep it confidential)?

Regarding the spear phishing example, I received two phishing email attempts today, and it's only 2:00 p.m. I recognized the emails as phony - but my day job involves HIPAA, and I read about HIPAA for fun. It's always on my mind. Would healthcare employees who spend their days scheduling patients, sending out EOBs, or providing care recognize suspicious emails? It depends on how well they have been trained, and how often.

HIPAA, like the rest of compliance, is not simply something for the lawyers or the compliance department to figure out.

Our compliance programs are only as strong as our weakest employees - and it's up to us to train them to get it right.

 

 

 

Read More

Topics: data breach, Social Media, HIPAA, security

Social Media Snafus: Keep Your Staff HIPAA Compliant

Posted by Margaret Scavotto, JD, CHC on 10/18/18 6:59 AM

An EMS worker gave CPR to a man who suffered a heart attack in his chicken coop. The EMS worker later posted on Facebook: "Well, we had a first... We worked a code in a chicken coop. Knee deep in chicken droppings."

A medical student who helped deliver a baby posted to Instagram a selfie of himself next to the mother's genitals.

A hospital employee appeared in a photo flipping off a newborn baby, with the caption: "How I currently feel about these mini Satans." The photo was shared 185,000 times on Facebook.

A pediatric ICU/ER nurse discussed a child's measles diagnosis on a Facebook page, before the measles case was announced to the public.

What do these stories have in common?

They're true. They involve disrespect to patients. They potentially violate HIPAA. They likely caused their organizations' privacy officers to pour hours into analyzing whether patients needed to be notified of a breach of HIPAA or other privacy laws. And, they made news headlines, creating a sizable PR problem for each provider involved.

Would your employees do this?

Your employees have Facebook, Instagram, Snapchat and Twitter accounts. They text. How many times do you think your employees text and post to social media every day? 

How often do you train staff on how to use social media without violating HIPAA (or disrespecting patients)? Once a year? Is your training frequent, helpful - and memorable - enough to ensure your employees get this right?

Help your employees use social media appropriately.

  • Implement a social media policy.
  • Train employees to recognize PHI.
  • Use examples. Help your team understand how seemingly innocent posts can violate HIPAA.
  • Train some more! Keep HIPAA and social media top of mind.
  • Encourage staff to report violations of the policy. This will allow you to research potential breaches and mitigate them swiftly.

Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't--than to cover our eyes and wait to hear it from the patients (or the media).

New Call-to-action

Read More

Topics: Social Media, HIPAA

Social Media Snafus May Lead to Policy Changes, Creative Training

Posted by Margaret Scavotto, JD, CHC on 3/15/18 6:22 AM

This month, HCCA's Report on Medicare Compliance published an article featuring Margaret Scavotto's comments on the HIPAA risks of social media for healthcare providers:

Read More

Topics: Social Media, HIPAA

Tweet, tweet: Resident abuse takes a new – and dangerous—form

Posted by Margaret Scavotto, JD, CHC on 8/16/16 3:14 PM

CMS recently issued guidance to its state surveyors, explaining that nursing home resident abuse occurs when staff take pictures or recordings “in a way that would demean or humiliate a resident(s).”

That’s just common sense: Nobody should have their picture or video taken when they are in a nursing home, and perhaps asleep, or in a compromising position. I doubt anyone would argue with CMS’ position that such unauthorized images constitute mental abuse when they are demeaning or humiliating. And yet, any provider who has attempted any degree of social media compliance knows this is a real problem.

Nursing homes and other providers are already climbing the seemingly insurmountable mountain of social-media-posts-turned-HIPAA-violations. Our increasingly younger workforce is walking the halls with 683 (or more, if you use Facebook more than I do) Facebook friends in their back pocket. Or waiting in their locker. Or their car. Many of these people are walking your halls thinking: “What can I share about my day tonight? What will get the most ‘Likes’? What will really put me at the top of the Newsfeed?” Social media posts and texts ranging from innocent to malicious have tied many Compliance and Privacy Officers up in hours-long breach investigations. Now, every tweet, post, text and snap involving a nursing home resident also needs to be treated as a potential abuse allegation.

Starting in September 2016, CMS surveyors will review every nursing home’s policies, to see if they “prohibit staff from taking, keeping and/or distributing photographs and recordings that demean or humiliate a resident(s).” CMS outlines the steps nursing homes must take in order to do well on this survey – and meet expectations for preventing this type of mental abuse:

  • Implement policies and procedures prohibiting abuse. These policies need to address mental abuse arising from demeaning or humiliating pictures or recordings.
  • Train staff on mental abuse arising from these pictures or recordings.
  • Take training one step further and “provide ongoing oversight and supervision of staff in order to assure that these policies are implemented as written.”
  • Treat these incidents of mental abuse as any other abuse allegation: with investigation and reporting.

A policy and training are crucial – and required by CMS – but they won’t be enough. Social media compliance requires a culture campaign. Social media is top-of-mind and omnipresent for your staff. So must be your efforts to motivate staff to use social media wisely. Has your organization launched a social media compliance campaign? Do your staff understand that posting or texting pictures of patients can result in license discipline? Jail time? How often do your staff receive reminders about appropriate social media use? Often enough to be as memorable as that next Facebook post opportunity? Make social media part of the compliance conversation, and you will help your staff use social media wisely, and convert social media from a liability to an asset.

New Call-to-action

Read More

Topics: Social Media

Are your employees tweeting their way to a HIPAA violation?

Posted by Margaret Scavotto, JD, CHC on 3/2/14 3:25 AM

Like it or not, social media use in the workplace is inevitable. A report by SilkRoad Technology found that 75% of employees check personal social media at least once a day on their mobile devices during working hours, and 60% access it multiple times.

Read More

Topics: HIPAA, Social Media

HIPAA penalties & social media: Do you trust your employees?

Posted by Margaret Scavotto, JD, CHC on 9/12/12 12:00 PM

It's no secret that the HIPAA hammer is here to stay. The HITECH Act of 2009 increased HIPAA penalties, and the Federal government has been doling them out liberally. As the use of social media expands, health care providers and their employees need to consider the consequences of posting information that could identify a patient. These consequences include penalties under HIPAA, privacy laws and even criminal laws...and making the headlines.

Read More

Topics: Penalties and Enforcement, HIPAA, Social Media

    Privacy Policy           Terms of Use