Breaking Compliance News Blog

“That’s so cute!” (if there’s a HIPAA authorization)

Posted by Margaret Scavotto, JD, CHC on 6/14/22 11:17 AM

 

Are you on TikTok?
 
I’m not (although I hear it’s worth it for the air fryer recipes).
 
But everyone else is, including an increasing number of healthcare professionals and healthcare providers.
 
Social media use increased during the early pandemic days as a way to connect with the world from inside locked down facilities. It also brings a healthy dose of levity.
 
For example:
  • A nursing home’s videos of residents enjoying therapy dogs Floyd and Loki went viral on TikTok. 
  • Last Thanksgiving, one nursing home’s TikTok video of the administrator dressed as a Thanksgiving turkey went viral. 
  • In a Scotland nursing home, a 102-year-old resident ‘s daily exercise dance routine – done with two nurses – was posted to TikTok. In the video, the resident and two of his caregivers are seen dancing. The home claims the videos “have been a great way to get the residents up and moving, and they’ve loved taking part.”
I love these videos! They are so cute. And they are okay to use – IF the patients signed a valid HIPAA authorization before the videos were taken.
 
Without a HIPAA authorization, the cute factor fades, and we are left with a potential HIPAA breach to investigate.
 
Thinking of going viral? Have fun – but make sure everyone involved understands the HIPAA consequences.

What you can do:

Read More

Topics: Training and Education, HIPAA, Social Media, security, privacy

Last Chance: Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 6/7/22 12:03 PM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 5/19/22 8:45 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 5/4/22 8:15 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

HIPAA Nightmare: Dentist tells patient to Get a Life

Posted by Margaret Scavotto, JD, CHC on 4/28/22 9:00 AM

Dr. U. Phillip Igbinadolor, D.M.D. & Associates received a $50,000 civil monetary penalty after his practice disclosed patient PHI in its response to a negative online review.

 

The practice did not respond to the OCR’s data request, did not respond to an administrative subpoena, and did not contest the findings in the OCR’s Notice of Proposed Determination.

 

The dentist’s response to the patient’s review stated:

 

It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations

when he only came to my practice on two occasions since October 2013. He never

came for his scheduled appointments as his treatment plans submitted to his insurance

company were approved. He last came to my office on March 2014 as an emergency

patient due to excruciating pain he was experiencing from the lower left quadrant. He

was given a second referral for a root canal treatment to be performed by my

endodontist colleague. Is that a bad experience? Only from someone hallucinating.

When people want to express their ignorance, you don't have to do anything, just let

them talk. He never came back for his scheduled appointment Does he deserve any

rating as a patient? Not even one star. I never performed any procedure on this

disgruntled patient other than oral examinations. From the foregoing, it's obvious that

[Complainant’s full name] level of intelligence is in question and he should continue

with his manual work and not expose himself to ridicule. Making derogatory

statements will not enhance your reputation in this era [Complainant’s full name].

Get a life.

 

Lessons to be Learned

The first lesson is obvious: don’t post PHI on social media without a valid HIPAA authorization. This is not the first time providers have responded to Yelp posts that included PHI or information that could identify the patient. Providers can respond to reviews with generic information about their practice – or ask patients to call. Provider responses should never reveal any information about the patient or their visit.

Another lesson is that the OCR is an equal-opportunity enforcement agency. All providers big and small can be investigated. In this instance, this was not a large provider.

Lastly, if you are unsure of what needs to be in place to comply with HIPAA to protect PHI, read the OCR resolution agreement for a prior - and similar - social media breach. The OCR provided the dental practice with “Corrective Action Obligations." These obligations can be used as a checklist to be used to evaluate your current privacy rule practices. Here are some (but not all) key requirements:

  • Policies and procedures that comply with the Privacy Rule.
  • The policies should cover the following:
    • Permissible and impermissible uses and disclosures of PHI
    • Administrative, technical and physical safeguards to protect the privacy of PHI
  • Privacy authorization form
  • A Notice of Privacy Practices – that lists the way PHI is used on social media
  • Provider contact to address Privacy issues – usually the designation of a Privacy Officer
  • Internal reporting mechanisms of possible violations
  • Policies that address corrective action of privacy policy violations
  • Privacy practice employee training

Read More

Topics: Penalties and Enforcement, HIPAA, Social Media

TikTok Terror

Posted by Margaret Scavotto, JD, CHC on 8/18/21 9:30 AM

A North Carolina Licensed Practical Nurse (LPN) was fired from a nursing home after she posted a series of videos on TikTok. The videos included the following phrases:

  • “I’d unplug your vent to charge my cell phone.”
  • “Me waking my patient up at 6:55 am to make sure they didn’t [sic] die from all the drugs i gave them to make them go to sleep”
  • “Me on my way to give my patients drugs so WE can get some good sleep tonight”

Wow.

It is not a surprise that the statement the nursing home issued about her termination stated:

Read More

Topics: HIPAA, Social Media, abuse, skilled nursing, compliance

Earn 5 CEUs with MPA’s Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 8/10/21 9:15 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

*** Approved for 5 hours of NAB CEUs***

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Earn 5 CEUs with MPA’s Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 8/5/21 11:40 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

*** Approved for 5 hours of NAB CEUs***

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Do you have a HIPAA authorization for that social media post?

Posted by Margaret Scavotto, JD, CHC on 2/16/21 10:00 AM

The pandemic has changed a lot for healthcare providers – including their social media use.

Most providers we talk to say they have increased their use of social media during COVID-19. Some providers are turning to social media to disseminate information about COVID-19 precautions, and, now, vaccine availability. We also see many providers using social media to keep the public informed, and to keep people connected during visitor restrictions. Many nursing homes are posting resident pictures and videos on Facebook or TikTok to give their loved ones a glimpse into life inside a nursing home during a lockdown. These strategies have led to creative – and often charming – social media campaigns.

For example:

I truly enjoy these posts, and I appreciate the clever social media campaigns and the connection they bring during a challenging time.

BUT – All of these social media uses bring risks.

Read More

Topics: HIPAA, Social Media, security, privacy

Earn 5 CEUs with MPA’s Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 2/5/21 9:00 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

*** Approved for 5 hours of NAB CEUs***

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

    Privacy Policy           Terms of Use